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The  primary  objective  of  the  reliability  and  maintainability  evaluation  of  the  DABS 
sensors  is  to  ascertain  any  weak  points  or  problem  areas  in  the  system  design. 

These  are  evidenced  by  the  occurrence  of  distinct  or  repetitive  hardware  failure 
patterns,  as  well  as  unusual  difficulties  encountered  in  diagnosing,  isolating,  and 
correcting  these  failures.  A secondary  objective  is  to  obtain  mean-time-between- 
failures  (MTBF),  mean  downtime  (MDT),  and  90th  percentile  values  of  maximum  correc- 
tive maintenance  times  for  both  the  single-channel  sensors  being  delivered  and  a 
theoretically  constructed  dual-channel  sensor.  These  values  would  then  be  compared 
with  the  corresponding  values  specified  in  the  engineering  requirement  (ER). 

' Each  sensor  will  be  broken  down  for  reliability  purposes  into  over  200  individual 
reliability  elements.  A complete  and  comprehensive  running  account  of  the  opera- 
tional status,  failure,  and  maintenance  history  of  each  of  these  reliability  elements 
will  be  provided,  by  use  of  the  Automated  Reliability  Assessment  Program  (ARAP),  to 
be  operated  on  the  Honeywell  computer.  By  further  use  of  automated  techniques,  the 
MTBF,  MDT,  and  maximum  corrective  maintenance  times  will  be  computed  for  both 
single-  and  dual-channel  sensors. 

>This  paper  provides  a detailed  description  of  the  data  collection  and  analysis 
procedures  to  be  used  in  this  evaluation.  Including  the  automated  techniques  and 
mathematical  models  employed  in  the  analysis.^; 
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RELIABILITY  AND  MAINTAINABILITY  EVALUATION  FOR  THE  DABS 
ENGINEERING  LABORATORY  MODELS 

INTRODUCTION 


PURPOSE. 


The  primary  purpose  or  objective  of  the  reliability  and  maintainability 
evaluation  of  the  Discrete  Addreaa  Beacon  System  (DABS)  sensors  is  to  ascer- 
tain any  weak  points  or  problem  areas  in  the  system  design.  These  are  evi- 
denced by  the  occurrence  of  distinct  or  repetitive  hardware  failure  patterns, 
as  well  as  unusual  difficulties  encountered  in  diagnosing,  isolating,  and 
correcting  these  failures.  By  identifying  such  problem  areas  in  the  develop- 
mental or  engineering  laboratory  models,  they  can  be  taken  into  consideration 
in  the  preparation  of  the  production  specifications  to  be  developed. 

A secondary  objective  is  to  obtain  some  figures  of  merit  or  numerical  indexes 
of  the  overall  system  reliability  and  maintainability  of  the  DABS  sensor,  and 
compare  these  figures  to  the  corresponding  values  specified  in  the  engineer- 
ing requirement  (ER).  The  figure  of  merit  for  reliability  is  the  mean  time 
between  failures  (MTBF),  which  is  defined  as  the  average  length  of  time  that 
the  system  can  be  expected  to  operate  without  experiencing  a functional 
failure  due  to  hardware  malfunction.  A functional  failure  is  a hardware 
failure  which  causes  either  the  complete  or  a partial  loas  of  system  func- 
tional capability.  The  ER  specifies  the  MTBF  as  1,000  hours  for  the  single- 
channel sensor  and  20,000  hours  for  the  dual-channel  sensor. 

The  figure  of  merit  for  maintainability  is  the  mean  downtime  (MDT),  or  mean 
corrective  maintenance  time.  This  is  defined  as  the  average  length  of  time 
that  corrective  maintenance  effort  is  applied  to  correct  a hardware  failure. 
The  ER  specifies  the  MDT  as  1 hour  for  both  the  single-  and  dual-channel 
sensors.  The  ER  further  specifies  the  maximum  corrective  maintenance  time  as 
2 hours  at  the  90th  percentile  for  both  sensors. 

BACKGROUND. 

The  DABS  concept  is  an  improvement  over  the  presently  used  Air  Traffic  Control 
Radar  Beacon  System  (ATCRBS)  in  that  it  provides  a higher  quality  surveillance 
capability  and  accuracy,  as  well  as  providing  a two-way  communications  or  data 
link.  The  DABS  concept  will  also  be  able  to  provide  a ground-based  conflict 
resolution  service  called  the  Automatic  Traffic  Advisory  and  Resolution 
Service  (ATARS). 

The  DABS  employs  ground-based  sensors,  or  interrogators,  and  airborne  trans- 
ponders. The  DABS  has  been  designed  as  an  evolutionary  replacement  for  ATCRBS 
to  provide  the  enhanced  surveillance  and  communications  capability  required 
for  air  traffic  control  (ATC)  in  the  1980's  and  1990’s.  Compatibility  with 
ATCRBS  has  been  emphasized  to  permit  an  extended  and  economical  transition. 
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The  requirement  for  the  development  of  DABS  was  identified  in  the  1969  Depart- 
ment of  Tranaportat ion  Air  Traffic  Control  Adviaory  Committee  atudy.  The 
firat  phaae  of  DABS  development  conaiated  of  a feaaibility  atudy  and  valida- 
tion of  the  DABS  concept.  Thia  atudy  was  conducted  by  the  Massachusetts 
Institute  of  Technology  (MIT)  Lincoln  Laboratory.  After  aucceaafully  demon- 
strating the  feasibility  of  the  DABS  concept,  ER's  were  prepared  by  Lincoln 
Laboratory  for  the  development  of  three  single-channel  DABS  sensors  which 
could  operate  as  a network  and  interface  with  en  route  and  terminal  ATC 
facilities. 

Texas  Instruments,  Inc.  (TI),  was  awarded  a contract  to  fabricate  the  three 
engineering  laboratory  models  of  the  DABS  senaor.  These  are  currently  being 
fabricated  at  the  TI  plant  in  Plano,  Texas,  for  installation  at  National 
Aviation  Facilities  Experimental  Center  (NAFEC)  and  Clementon  and  Elwood,  New 
Jersey.  After  completing  factory  acceptance  tests,  the  sansors  will  be  deliv- 
ered to  the  three  sites,  installed,  and  subjected  to  field  readiness  tests. 

All  of  this  will  be  the  responsibility  of  the  contractor  (TI),  with  NAFEC  and 
other  Federal  Aviation  Administration  (FAA)  personnel  providing  assistance. 
Upon  completion  of  the  field  readiness  tests,  the  NAFEC  performance  tests  will 
be  performed  on  the  sensors.  The  reliability  and  maintainability  evaluation 
described  in  this  paper  is  a part  of  the  NAFEC  performance  tests. 

The  general  purpose  of  the  factory  acceptance,  field  readiness,  and  NAFEC 
performance  tests  is  to  verify  the  extent  to  which  the  DABS  functions  comply 
with  those  specified  in  the  ER.  It  is  intended  that  those  ER  requirements 
which  are  successfully  demonstrated  during  the  factory  acceptance  or  field 
readiness  tests  need  not  be  repeated  in  the  NAFEC  performance  tests. 

TEST  PHILOSOPHY. 

The  objectives  of  the  reliability  and  maintainability  evaluation  can  be 
achieved  by  a study  of  the  hardware  failures  that  occur  during  normal  everyday 
use  of  the  sensor;  i.e.,  whenever  it  is  energised.  Hence,  it  will  not  be 
necessary  to  perform  any  special  reliability  tests,  since  failure  data  will 
be  obtained  during  the  time  that  the  NAFEC  performance  tests  are  being  con- 
ducted. If  additional  failure  data  are  needed,  this  can  be  obtained  during 
any  subsequent  testing  or  usage  periods. 

In  addition  to  the  MTBF  and  mean  and  maximum  corrective  maintenance  times 
mentioned  previously,  the  ER  contains  several  other  reliability  and  maintain- 
ability requirements.  These  include  recovery  requirements  for  the  sensors 
following  power  restoration  after  external  power  interrupts  (3.9.4.1.d  and 
3.9.4.2.d  of  ER-240-26).  Also  included  are  automatic  recovery  requirements 
after  failure  of  redundant  units  (3. 9. 4. I.e  and  3.9.4.2.e  of  ER-240-26). 
Demonstration  of  these  recovery  requirements  would  require  specific  scenarios 
in  which  power  interrupts  and  hardware  failures  would  be  introduced  into  the 
equipment,  time  to  recovery  observed,  and  condition  of  the  files  and  various 
software  features  noted.  These  recovery  teat  procedures  are  therefore  dis- 
cussed under  the  Failure/Recovery  Mode  Section  of  the  Performance  Test  Plan. 
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The  three  DABS  sensors  to  be  delivered  will  be  single-channel  sensors.  These 
can  be  broken  down  for  reliability  purposes  into  20  reliability  element  types, 
comprising  approximately  200  individual  reliability  elements  per  sensor.  These 
are  shown  in  table  1.  These  reliability  elements  vary  in  complexity  from  a 
complete  equipment  subunit,  such  as  a transmitter  or  processor,  down  to  a 
portion  of  a single  printed  circuit  board  (PCB),  such  as  the  conmunications 
interface  PCB-serial  element. 


TABLE  1.  RELIABILITY  ELEMENT  TYPES 


No.  in  Sensor 


Air-Conditioners 

Antenna  Croup 

Transmitter 

Receiver 

Processor 

WWVB  Receiver 

Til ines 

Couplers 

Interface  PCB's 

♦5-Volt  Power  Supplies 

♦^2-Volt  Power  Supplies 

DABS  Computers 

176k  Memory  Modules 

Memory  Monitor  Switching  Element 

Memory  Monitor  Serial  Element 

Communications  Interface  PCB-Serial  Element 

Communications  Interface  PCB-Channel  Element 

Modems 

Link  Switches 
Primary  Radar  Interface 


Total- 


A complete  and  comprehensive  running  account  of  the  operational  status, 
failure,  and  maintenance  history  of  each  of  these  reliability  elements  will  be 
provided  by  a data  processing  system  known  as  the  Automated  Reliability 
Assessment  Program  (ARAP).  The  ARAP,  which  was  developed  in  1971  by  NAFEC, 
(Report  No.  FAA-RD-74-16  entitled  "Automated  Reliability  Assessment  Program" 
by  J.  Wojciech  (Wo jciechowicz ) , April  1974),  is  a set  of  procedures  and 
computer  programs  used  to  reduce  and  analyze  failure  and  maintenance  data. 

The  ARAP  was  originally  designed  to  be  run  on  the  7090  computer.  In  1977,  the 
7090  was  replaced  by  a Honeywell  computer  with  provisions  for  accessibility  by 
remote  terminals.  Consequently,  the  ARAP  has  been  converted  for  operation  on 
the  Honeywell  computer.  This  continuous  history  of  over  200  elements,  made 
available  through  use  of  the  ARAP,  should  not  only  enhance  the  recognition  of 
distinct  or  repetitive  failure  patterns  but  should  also  outline  any  unusual 
difficulties  encountered  in  repairing  these  failures. 
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Not  every  hardware  failure  that  occurs  in  the  DABS  sensor  will  cause  degra- 
dation of  system  function.  This  is  because,  even  in  the  single-channel 
sensors  which  will  be  evaluated,  several  of  the  subsystems  contain  redundant 
elements.  Should  one  of  these  elements  fail,  its  function  will  be  taken  over 
by  a dedicated  redundant  counterpart,  and  the  system  will  experience  no  loss 
of  functional  capability.  Such  failures  can  be  effectively  converted  into 
an  equivalent  number  of  functional  failures  through  the  use  of  mathematical 
models  which  take  these  redundant  elements  into  account.  With  all  hardware 
failures  thus  converted  info  an  equivalent  number  of  functional  failures, 
these  mathematical  models  can  be  used  to  compute  the  effective  system  MTBF  and 
MDT  of  both  the  actual  single-channel  sensor  as  well  as  a theoretically 
constructed  dual-channel  sensor. 

The  mathematical  models  will  be  programed  for  electronic  data  processing.  The 
inputs  to  these  mathematical  models  will  consist  of  the  total  uptimes,  total 
downtimes,  and  total  number  of  actual  hardware  failures  that  have  occurred 

(over  a given  time  interval  for  each  of  the  20  reliability  element  types. 

These  will  be  obtained  from  the  ARAP  summary  printouts  and,  after  suitable 
screening  to  eliminate  statistically  inordinate  values  (outliers),  the  correc- 
ted data  will  be  applied  to  the  computer.  The  mathematical  models  will  not 
only  take  into  account  .the  presence  of  redundant  elements  but  will  also  take 
into  account  the  manner  in  which  such  redundant  elements  are  repaired  when 
failure  occurs.  Some  redundant  elements  will  be  repaired  immediately  upon 
failure;  others  will  be  left  in  the  system  until  some  convenient  time  occurs 
in  which  to  effect  repairs.  Under  worst-case  conditions,  this  would  be  the 
next  30-day  scheduled  maintenance  period  (720  hours)  for  the  single-channel 
sensor.  The  program  will  also  have  the  capability  of  varying  this  worst-case 
time  from  720  hours  to  any  desired  interval  (i.e.,,1  day,  1 week,  10  days, 
etc.)  to  determine  the  effect  of  such  variation  upon  the  system  MTBF. 

In  addition  to  the  three  sensors  themselves,  reliability  and  maintainability 
evaluations  will  be  performed  on  certain  associated  equipment,  which  will  be 
delivered  by  TI  and  used  in  conjunction  with  the  three  sensors.  This  associ- 
ated equipment  includes  the  following:  the  front-end  processor  (FEP),  the 
system  test  console  (STC),  the  program  support  equipment  (PSE),  and  the  modems 
located  at  the  ATC  facilities  with  which  the  DABS  sensors  interface.  A 
separate  reliability  and  maintainability  evaluation  will  be  performed  for  each 
of  the  above  four  categories  of  associated  equipment. 

The  FEP  will  interface  the  communications  inputs  and  output  from  the  DABS 
sensor  at  NAFEC  to  the  9020  computer  there.  The  STC,  also  located  at  NAFEC, 
will  monitor  all  sensor-to-sensor  interfaces  and  sensor-to-ATC-facilities 
interfaces.  The  PSE  is  an  offline  computer  facility  including  memory, 
peripherals,  etc.  It  is  used  for  compiling  programs,  quick-look  analysis  of 
recorded  DABS  data,  etc. 

These  associated  equipments  include  many  element  types  which  are  also  con- 
tained in  the  sensors  themselves.  These  include  DABS  computers,  global 
memories,  Tilines  (a  TI  term  for  an  interface  bus),  modems,  and  communications 
interface  PCB's.  These  element  types  will  not  be  combined  with  those  of  the 
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DABS  sensor  in  the  mathematical  models  for  MTBF  and  HDT  determination,  since 
this  applies  only  to  the  sensor  elements  themselves.  The  reliability  and 
maintainability  evaluations  for  the  FEP,  STC,  PSE,  and  ATC  modems  will  show 
the  failure  and  maintenance  information  on  the  elements  comprising  each 
respective  equipment  grouping.  However,  statistical  comparison  may  be  made 
between  element  types  in  these  four  categories  and  the  corresponding  element 
types  in  the  sensor. 

DATA  COLLECTION 


GENERAL. 

Data  collection  will  consist  of  logging  any  event  or  situation  which  is 
different  from  the  normal  energized  and  operational  status  of  the  equipment. 
Such  events  include:  equipment  shutdown,  scheduled  maintenance  (.when  equip- 
ment shutdown  is  involved),  hardware  failures,  engineering  changes,  and 
changes  in  system  configuration.  These  events  will  be  coded  onto  punched 
cards  which  will  be  associated  with  the  specific  reliability  elements  to  which 
the  events  pertain.  These  cards  will  then  be  applied  to  the  ARAP  system  for 
processing  and  consolidation  of  the  element  failure,  maintenance,  and  status 
histories. 

RELIABILITY  MODELS. 

To  facilitate  the  collection  and  subsequent  analysis  of  the  data,  a reli- 
ability model  of  the  DABS  sensor  is  used.  This  reliability  model  depicts  the 
major  equipment  subunits  which  must  be  operational  to  achieve  full  and  com- 
plete system  functional  capability.  When  one  of  these  major  subunits  involves 
redundant  elements,  the  model  indicates  the  degree  of  such  redundancy. 

The  reliability  model  to  be  discussed  here  pertains  to  the  single-channel 
sensors  to  be  delivered.  The  model  for  the  theoretically  constructed  dual- 
channel sensor  will  be  discussed  subsequently  in  the  Data  Processing  and 
Analysis  section  of  this  paper,  along  with  the  mathematical  model  for  the  MTBF 
and  MOT  determination  of  the  dual-channel  sensor. 

The  single-channel  DABS  reliability  model  is  divided  into  three  sections 
based  upon  physical  and  functional  considerations.  These  are  the  interrogator 
and  processor  (l&P)  section,  the  computer  section,  and  the  communicat ions 
section. 

The  I&P  section  of  the  reliability  model  is  shown  in  figure  1.  Note  the  block 
marked  "Processor."  This  includes  the  ATCRBS  and  DABS  processors,  modulation 
control  unit  (MCU),  performance  monitor  interface  for  the  processors,  and  other 
support  logic,  all  of  which  are  necessary  for  complete  equipment  functional 
capability.  All  of  this  is  physically  housed  in  one  equipment  drawer  known 
as  the  processor  drawer. 


FIGURE  1.  RELIABILITY  MODEL  OF  INTERROGATOR  AND  PROCESSOR  SECTION  OF  SINGLE-CHANNEL  SENSOR 


Note  the  (?)  symbology  in  the  air-conditioners  block.  This  symbology  indi- 
cates redundancy.  Two  identical  air-conditioners  are  provided;  however,  only 
one  is  required.  This  redundancy  symbology  will  be  used  throughout  the 
mode  1 . 

The  computer  section  of  the  reliability  model  is  shown  in  figure  2.  Physi- 
cally,the  computer  section  is  housed  in  a group  of  adjacent  equipment  racks, 
of  which  figure  3 shows  an  artist’s  conception.  Functionally,  the  computer 
section  is  divided  into  four  groups;  the  ATCRBS  group,  the  ensemble  group,  and 
global  memories  A and  B. 

The  ATCRBS  group  of  figure  2 consists  of  three  blocks;  the  ATCRBS  Tiline,  the 
5-volt  triplex  power  supply,  and  two  DABS  (modified  TI-990)  computers,  of 
which  one  is  redundant.  The  ATCRBS  Tiline  is  a motherboard,  or  master  circuit 
board,  into  which  are  plugged  the  circuit  cards  comprising  the  computers  and 
associated  elements,  such  as  couplers  and  interface  PCB’s.  The  ATCRBS  Tiline 
with  its  two  DABS  computers  are  physically  housed  in  the  ATCRBS  drawer,  shown 
as  the  upper  drawer  of  equipment  rack  unit  7 of  figure  3.  The  ATCRBS  drawer 
is  energised  by  the  +5-volt  triplex  power  supply,  shown  in  figure  2 as  the 
second  block  in  the  ATCRBS  group,  and  shown  physically  in  figure  3 as  the 
drawer  beneath  the  ATCRBS  drawer  (unit  7).  This  drawer  contains  three  iden- 
tical 5-volt  power  supplies,  any  two  of  which  can  maintain  the  ATCRBS  drawer 
operational;  hence,  the  (3)  symbology,  indicating  that  three  units  are  avail- 
able, two  of  which  are  required,  leaving  one  as  a redundant  unit. 

The  ensemble  group  includes  seven  ensemble  Tilines,  each  of  which  is  a mother- 
board and  physically  identical  to  the  ATCRBS  Tiline.  Each  ensemble  Tiline 
accommodates  four  DABS  computers,  all  of  which  are  physically  accommodated 
in  one  equipment  drawer.  The  seven  drawers  shown  in  figure  3 are  each 
marked  "Computer  Ensemble." 

The  ensemble  group  contains  30  computers.  Of  these,  28  are  contained  in  the  7 
ensemble  Tilines  while  the  remaining  2 are  physically  housed  in  the  ATCRBS 
Tiline.  Twenty-six  of  these  30  computers  are  required  to  maintain  the  system 
in  an  operational  state.  Twenty-four  of  these  26  required  computers  can  be 
provided  by  6 of  the  7 ensembles;  the  remaining  2 computers  being  available 
from  the  ATCRBS  and/or  communications  Tilines.  Hence,  the  (?)  redundancy 
symbology  indicating  that  one  of  the  seven  ensembles  is  redundant. 

Each  of  the  seven  ensembles  has  its  own  +5-volt  power  supply  drawer,  also 
shown  in  figure  3,  underneath  the  ensemble.  These  power  supply  drawers,  like 
the  ATCRBS  drawer,  have  a (3)  redundancy.  As  one  of  the  seven  ensembles  is 
redundant,  this  explains  the  double  redundancy  symbology  (^)  ( ^ ) shown  in 
in  the  +5-volt  triplex  power  supply  block  for  the  ensemble  group  of  figure  2. 

Global  memories  A and  B each  consists  of  a global  Tiline  to  which  are  attached 
several  strings  of  memory  elements,  each  of  which  totals  176k  words.  Global 
memory  A contains  two  sets  of  176k  memory  strings,  while  global  memory  B 
consists  of  one  such  set.  Each  set,  as  shown  in  figure  2,  consists  of  two 
176k  memory  strings,  one  of  which  is  redundant.  Each  global  Tiline,  with  its 
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FIGURE  2.  RELIABILITY  MODEL  OF  COMPUTER  SECTION  OF  SINGLE-CHANNEL  SENSOR 
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FIGURE  3.  ARTIST’S  CONCEPTION  OF  COMPUTER  SECTION 


attached  176k  memory  strings,  ia  physically  housed  in  a global  memory  drawer, 
which  ia  energised  by  a ♦5-volt  triplex  power  supply  located  just  underneath. 

The  communications  section  of  the  reliability  model  is  shown  in  figure  4. 

Like  the  computer  section,  the  coonunication  section  is  physically  housed  in  a 
group  of  adjacent  cabinets,  shown  in  artist's  conception  form  in  figure  5. 
Functionally,  it  can  be  divided  into  four  groups;  the  communications  group, 
the  communications  interface  group,  the  surveillance  group,  and  the  CIDIN 
(Common  ICAO  Data  Interchange  Network)  group.  The  communications  group 
consists  of  a Tiline  to  which  are  attached  three  computers;  the  surveillance 
communications  computer,  the  CIDIN  communications  computer,  and  a spare 
(redundant)  computer.  These  are  all  physically  housed  in  the  communications 
console,  shown  as  the  top  drawer  of  equipment  rack  unit  12  in  figure  5.  This 
is  energised  by  a ♦5-volt  triplex  power  supply  shown  directly  underneath. 

The  communications  interface  group  consists  of  a Tiline  into  which  are  plugged 
the  communications  interface  PCB's  of  the  surveillance  and  CIDIN  groups.  All 
this  is  physically  packaged  in  the  communications  interface  console,  shown 
as  the  top  drawer  of  equipment  rack  unit  13  in  figure  5.  The  communications 
interface  console  is  energised  by  a 5-volt  triplex  power  supply  drawer  and  a 
M2-volt  duplex  power  supply  drawer.  Both  power  supply  drawers  are  located 
directly  beneath  the  communications  interface  console  in  figure  5. 

The  surveillance  and  CIDIN  groups  contain  the  communications  interface  PCB's 
mentioned  above,  plus  modems  and  link  switches,  shown  in  figure  5.  The  sur- 
veillance group  also  includes  a primary  radar  interface,  shown  in  equipment 
rack  unit  13  of  figure  5. 

STATUS  AND  MAINTENANCE  FORM. 

GENERAL.  Failure  and  maintenance  data  as  well  as  changes  in  status  conditions 
will  be  entered  on  a specially  designed  status  and  maintenance  form  developed 
for  use  with  the  DABS  sensor  and  the  additional  equipment  to  be  evaluated. 

This  form,  shown  in  figure  6,  is  patterned  after  the  System  Maintenance  Log 
developed  by  IBM  for  use  with  their  9020  equipment.  It  has  been  specifically 
adapted  to  the  DABS  major  equipment  configuration  and  modified  for  use  with 
the  ARAP. 

The  columns  on  the  status  and  maintenance  form  correspond  to  the  major  units  or 
drawers  of  the  DABS  sensor.  In  order  to  keep  the  form  from  becoming  unwieldy, 
related  units  or  drawers  are  grouped  together  in  one  column.  For  example,  the 
seven  ensembles  of  the  ensemble  group  are  grouped  together  under  the  ENSEM 
column  of  the  form.  This  column  includes  the  Tilines,  couplers,  and  the 
28  DABS  computers  contained  within  these  seven  ensembles.  The  29th  and  30th 
computers  of  the  ensemble  group  are  physically  contained  within  the  ATCRBS 
drawer  and  are  included  in  the  ATCRBS  column  of  the  status  and  maintenance 
form.  Reference  to  a specific  element  or  unit  contained  within  a column  is 
provided  by  means  of  SERIAL  NUMBER  and  COMMENTS  columns  on  the  form. 

The  operational  status  of  each  equpment  unit  is  shown  by  one  of  four  symbols. 
"U,"  or  uptime,  indicates  that  the  unit  is  energised  and  subjected  to  normal 
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figure  a.  reliability  model  of  communications  section  of  single -channel  sensor 


FIGURE  5.  ARTIST'S  CONCEPTION  OF  COMMUNICATIONS  SECTION  OF  SINGLE-CHANNEL  SENSOR 
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FIGURE  6.  DABS  STATUS  AND  MAINTENANCE  FORM 
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electrical  stress.  This  includes  preventive  maintenance  time  unless  the  unit 
is  deenergized  during  such  preventive  maintenance.  "C"  is  corrective  main- 
tenance time  and  includes  all  time  that  a unit  is  down  due  to  a hardware 
failure.  "E"  indicates  an  engineering  change,  while  "0"  or  "other  time" 
includes  administrative  shutdown,  power  outages,  etc. 

The  form  includes  part  data  and  comments  for  use  in  failure  documentation, 
together  with  columns  for  identifying  each  failure  incident  by  date  and  time 
of  occurrence.  Columns  are  also  provided  for  recording  downtime  and  offline 
repair  time.  The  use  of  the  status  and  maintenance  form  is  described  in 
detail  below.  A new  form  should  be  used  each  day. 

USE : Figure  6 illustrates  the  events  of  a typical  day.  At  the  beginning  of 
each  day,  the  status  of  the  equipment  units  or  drawers  represented  by  each 
column  is  shown.  Thus,  a "U"  is  entered  at  time  0000  (midnight)  for  each 
column  except  the  5-V  PS  column.  Note  from  figure  6 that  an  engineering 
change  (E)  was  in  process  at  that  time  for  power  supply  No.  24  in  the  ATCRBS 
PS  drawer.  All  the  remaining  5-volt  power  supplies  in  the  sensor  were  in  an 
operative  or  "U"  condition  at  this  time  and  are  so  indicated  in  the  second 
line  of  figure  6.  The  engineering  change  on  power  supply  No.  24  was  completed 
at  9:30  a.m. , and  is  so  indicated  on  the  form. 

At  4:13  a.m.,  a hardware  failure  occurred  in  the  PROCESSOR  drawer;  thus,  a "C" 
is  entered  in  the  PROC  column,  together  with  the  time  (0413).  The  "INCIDENT 
NO."  columns  uniquely  identify  the  hardware  failure  by  noting  the  date  and 
time  it  first  occurred.  This  facilitates  any  subsequent  reference  to  this 
hardware  failure.  The  failure  was  isolated  to  the  DABS  message  processor 
PCB,  part  No.  885581-1,  located  in  slot  A177  (assumed)  of  the  processor.  This 
defective  PCB  was  replaced,  and  the  processor  was  restored  to  normal  operation 
at  4:58  a.m.  This  is  indicated  on  the  form  by  the  "U"  entered  under  the  PROC 
column  at  the  time  0458.  Note  the  INCIDENT  NO.  (1-1-79-04-13)  indicating  the 
date  and  time  this  failure  occurred.  The  incident  number  is  entered  at  the 
time  the  failure  occurred  (0413)  and  also  at  the  time  when  normal  operation 
of  the  processor  was  restored  (0458).  Under  the  column  marked,  "DOWNTIME," 
the  actual  corrective  maintenance  time  is  entered  to  the  nearest  tenth  of  an 
hour.  This  time  begins  when  maintenance  personnel  actually  start  trouble- 
shooting the  failure  and  ends  when  the  defective  part  has  been  repaired  or 
replaced  and  normal  operation  restored.  This  maintenance  time  does  not 
include  waiting  or  other  nonactive  time.  Where  maintenance  time  is  discon- 
tinuous, an  estimate  of  total  time  shall  be  given.  In  this  case,  0.7  hour  of 
actual  maintenance  effort  was  expended  up  to  the  replacement  of  the  defective 
message  processor  PCB  and  restoration  of  the  processor  to  normal  operation. 

The  defective  PCB  was  then  further  repaired  offline,  and  the  failure  was 
isolated  to  a defective  XYZ  chip.  This  offline  repair  time  took  1.5  hours  and 
is  entered  in  the  corresponding  column,  while  the  details  of  the  failure, 
troubleshooting  procedures,  unusual  difficulties,  etc.,  are  entered  under 
COMMENTS. 

The  transmitter  was  powered  down  for  4 hours  of  preventive  maintenance  from 
0800  to  1200  hours.  This  is  indicated  by  an  "0"  under  the  XMTR  column  at 
0800  hours,  followed  by  a "U"  at  1200  hours. 
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At  9:15  a.m.,  a failure  in  ATCRBS  computer  No.  1 was  indicated  by  the  perform- 
ance monitor.  This  is  one  of  the  two  redundant  ATCRBS  computers.  If  the 
PCB's  comprising  this  failed  computer  were  to  be  removed  from  the  ATCRBS 
Tiline  for  troubleshooting  purposes  while  that  Tiline  was  energised,  undesir- 
able spikes  or  transient  effects  would  result;  therefore,  the  Tiline  must 
first  be  deenergised  before  the  PCB's  are  removed.  However,  to  deenergise 
the  ATCRBS  Tiline  would  render  the  DABS  sensor  functionally  inoperative; 
therefore,  the  failed  computer  PCB's  are  left  attached  to  the  ATCRBS  Tiline 
until  a convenient  time  occurs  when  the  system  can  be  powered  down  for  main- 
tenance. Under  worst-case  conditions,  this  would  occur  at  the  next  30-day 
scheduled  maintenance  period,  at  which  time  the  Tiline  may  be  deenergised  for 
up  to  6 hours  for  troubleshooting  of  this  failure.  Since  actual  corrective 
maintenance  procedures  will  not  start  until  the  ATCRBS  Tiline  is  deenergised, 
the  failure  is  coded  "0"  for  "other,"  or  neutral  time,  in  the  ATCRBS  column 
until  the  Tiline  is  deenergised.  The  status  will  then  be  changed  to  "C" 
during  the  actual  time  that  corrective  maintenance  procedures  are  applied  to 
ATCRBS  computer  No.  1. 

At  9:30  a.m.,  the  CIDIN  computer  (serial  No.  4)  in  the  communications  console 
failed.  This  is  similar  to  the  ATCRBS  computer  failure  described  above, 
in  that  its  function  is  taken  over  by  a redundant  computer  and  will  be 
repaired  during  the  next  scheduled  maintenance  period,  which  occurs  at  1800 
the  same  day.  Therefore,  the  symbol  "0"  is  entered  under  the  COMM  column  at 
0930  hours,  indicating  that  computer  No.  U in  the  communications  console  is  in 
a neutral  status.  All  other  elements  in  the  communications  console  are 
operational  (U)  at  this  time.  At  1800  hours,  the  entire  communications 
console  was  deenergized  for  scheduled  maintenance.  This  is  indicated  by  an 
"0"  under  the  COMM  column  at  1800  hours  with  appropriate  notation  in  the 
COMMENTS  column.  Corrective  maintenance  procedures  on  the  defective  CIDIN 
computer  actually  started  at  1815  hours,  and  the  status  code  for  this  computer 
changed  accordingly  to  "C."  Repair  of  this  computer  took  30  minutes;  there- 
fore, at  1845  hours  the  status  of  the  CIDIN  computer  returned  to  "0"  since 
scheduled  maintenance  of  the  communications  console  continued  until  2200 
hours . 

At  2000  hours  a failure  occurred  in  the  ensemble  No.  2 Tiline  wherein  there  was 
no  output  from  that  ensemble  to  global  memory  A.  As  mentioned  previously, 
a Tiline  is  a motherboard  or  master  connection  board  into  which  are  plugged 
couplers  and  other  PCB's.  The  couplers  are  the  means  of  transferring  data 
from  one  Tiline  to  another.  They  come  in  pairs,  each  coupler  of  a pair 
being  connected  into  one  of  the  two  Tilines  between  which  data  are  to  be 
transferred.  In  the  case  of  this  failure,  diagnostic  procedures  indicated 
that  the  coupler  attached  to  ensemble  No.  2 in  the  coupler  pair  connecting 
that  coupler  to  the  global  A Tiline  was  defective.  The  ensemble  No.  2 Tiline 
was  accordingly  deenergized  and  the  defective  coupler  replaced.  Subsequent 
offline  analysis  showed  a bad  RST  chip  in  the  coupler. 
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DATA  PROCESSING  AND  ANALYSIS 


GENERAL. 

After  the  data  have  been  collected,  they  will  then  be  encoded  onto  punched 
cards  for  processing  and  tabulation  by  the  ARAP.  The  ARAP  consists  ofthree 
program  segments.  The  first  segment  provides  summaries  of  the  opleratTonal 
status  of  each  of  the  200+  reliability  elements  and  the  20  element  types  over 
the  period  of  observation.  The  second  program  segment  provides  a summary  of 
the  hardware  failures  incurred  by  each  of  the  200+  reliability  elements  over 
the  period  of  observation.  The  third  program  segment  provides  a summary  of 
descriptive  data  for  each  failed  part  or  component  involved  in  a hardware 
failure. 

These  summaries  will  then  be  analysed,  in  order  to  eliminate  dependent  or 
secondary  failures  or  any  other  data  which  appear  to  be  unreasonable  or 
inordinate.  The  corrected  hardware  failure  and  part  history  summaries  will 
then  be  analysed  to  identify  any  problem  areas  in  equipment  design  as  evi- 
denced by  distinct  or  repetitive  failure  patterns  or,  in  ease  of  mainte- 
nance, as  evidenced  by  unusual  difficulties  encountered  in  affecting  repairs. 
The  corrected  total  uptimes  and  downtimes  for  each  element  type  (obtained 
from  the  status  summaries)  and  the  total  number  of  hardware  failures  for  each 
element  type  (obtained  from  the  hardware  failure  summary)  will  then  be  applied 
to  a calculator  where  element  type,  section,  and  system  failure  rates 
and  MDT's  will  be  calculated. 

CODING  FOR  ARAP. 

Each  of  the  more  than  200  reliability  elements  will  be  uniquely  identified  by 
means  of  a header  card.  These  header  cards,  in  conjunction  with  appropriate 
trailer  cards,  will  be  used  for  the  generation  of  the  ARAP  operational  status 
and  hardware  failure  summaries.  They  will  also  be  used  for  the  generation  of 
conf igurat ion  control  listings. 

Encoded  upon  each  header  card  will  be  the  element  type,  DABS  site,  element 
serial  number,  and  an  element  identity  (ID)  code  which  will  be  unique  for  each 
of  the  200+  elements.  A typical  header  card  may  appear  as  follows: 


Element  Type:  COUPLER 

DABS  Site:  NAFEC 

Element  Serial  Number:  23 

Element  ID:  H17 


This  header  card  tells  us  that  coupler  serial  No.  23  is  assigned  element  ID 
code  H17.  The  H17  specifically  identifies  this  element,  since  another  ele- 
ment, such  as  a Tiline,  may  also  have  a serial  number  of  23  but  would  have 
a different  ID  code. 
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This  ID  code  (HI  7)  will  be  used  with  trailer  cards  upon  which  the  various 
operational  states  of  the  corresponding  element  over  the  period  of  obser- 
vation will  be  encoded.  The  ID  code  (H17)  will  also  be  used  with  other 
trailer  cards  upon  which  hardware  failure  information  for  the  correspond- 
ing element  will  be  encoded.  Finally,  the  ID  codes  will  be  used  to  iden- 
tify the  associated  elements  with  configuration  control  information.  This 
will  be  described  in  greater  detail  in  the  following  section. 

CONFIGURATION  CONTROL.  Although  not  a part  of  ARAP  as  it  presently  exists, 
the  header  cards  used  with  the  ARAP  programs  can  be  used  to  generate  con- 
figuration control  listings.  These,  in  turn,  will  be  useful  if  not  actu- 
ally necessary  for  encoding  element  status  and  hardware  failure  information 
from  the  status  and  maintenance  form. 

To  illustrate  how  the  header  cards  can  be  used  for  the  generation  of  config- 
uration control  listings,  let  us  assume  that  the  coupler  serial  No.  23  is 
plugged  into  global  Tiline  A and  connects  with  the  coupler  plugged  into  the 
ensemble  1 Tiline  of  the  computer  subsystem.  A configuration  control  trailer 
card  would  be  prepared  bearing  the  following  information: 

Element  ID;  HI  7 

Configuration  Control  Data:  FROM:  GLOBAL  A TO:  ENSEMBLE  1 

When  used  with  the  appropriate  header  card,  the  following  printout  would  be 
obtained: 


CONFIGURATION  CONTROL  LISTING 


Element 


Coupler 


Serial 

Number 


NAFEC 


Conf igurat ion 
Control  Information 

From:  Global  A 
To:  Ensemble  1 


The  other  coupler  in  this  coupler  pair  would  read: 


From:  Ensemble  1 


To:  Global  A 


By  use  of  such  a configuration  control  listing,  the  elements  associated 
with  each  column  on  the  status  and  maintenance  form  (figure  6)  can  be  ascer- 
tained. For  example,  the  GLOBAL  column  includes  global  Tilines  A and  B, 
together  with  all  the  elements  connected  to  them.  Each  global  Tiline  contains 
10  couplers;  7 of  which  go  to  the  7 ensemble  Tilines,  2 of  which  go  to  the 
ATCRBS  and  communications  Tilines,  and  1 of  which  goes  to  the  opposite  global 
Tiline.  In  addition,  the  global  A Tiline  includes  four  17bk  memories,  one 
memory  monitor  PCB,  and  four  interface  PCB's  which  interface  with  the  DABS 
processor,  the  MCU,  the  performance  monitor,  and  the  azimuth  system  timing 
unit  (AZSTU).  The  global  B Tiline  includes  two  176k  memories  and  one  memory 
monitor  PCB  in  addition  to  the  10  couplers  mentioned  above. 
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Each  memory  monitor  PCB  contains  four  reliability  elements;  two  series  elements 
and  two  switching  elements.  One  switching  and  one  series  element  are  used  for 
each  pair  of  176k  memories.  Since  there  is  only  one  pair  of  176k  memories  in 
global  Tiline  B,  only  one  series  and  one  switching  element  are  used  in  the 
memory  monitor  PCB  in  the  Global  B Tiline.  Thus,  the  GLOBAL  column  on  the 
status  and  maintenance  form  includes  the  status,  failure,  and  maintenance 
reporting  of  2 Tilines  and  36  reliability  elements  connected  to  these  two 
Tilines.  The  configuration  control  listing  of  these  38  elements  might  appear 
as  shown  in  table  2.  Note  that  several  of  the  couplers  have  the  same  serial 
number  as  the  interface  PCB's;  however,  the  element  ID  codes  by  which  header 
and  trailer  cards  are  related  prevent  any  ambiguity. 

Configuration  control  listings  such  as  shown  in  table  2 identify  the  specific 
elements  associated  with  each  major  equipment  subunit  and  will  be  an  aid  to 
the  encoding  of  the  status,  failure,  and  maintainability  information  from  the 
columns  of  the  status  and  maintenance  form. 

For  summarizing  status  condition  and  hardware  failure  information  for  each  of 
the  20  element  types,  the  configuration  control  listings  can  be  re-sorted  so 
that  they  list  all  the  elements  of  an  element  type  together.  For  example,  all 
42  couplers  with  their  serial  numbers  and  configuration  control  information 
can  be  listed  together  under  the  coupler  element  type.  This  can  also  include 
spares.  Updating  of  the  configuration  control  listings  due  to  configuration 
changes,  element  or  part  substitutions,  etc.,  can  be  quickly  and  simply 
accomplished  by  inserting  new  trailer  cards  reflecting  the  updated  config- 
uration for  the  elements  concerned. 

OPERATIONAL  STATUS.  Status  coding  is  done  for  each  of  the  200+  elements  in 
each  DABS  sensor.  Status  information  is  obtained  from  the  columns  of  the 
status  and  maintenance  form.  When  the  columns  represent  a single  element,  the 
elements  are  coded  directly  from  the  columnj  i.e.,  transmitter,  receiver, 
etc.  When  the  column  represents  multiple  elements  such  as  the  GLOBAL  column, 
use  of  the  configuration  control  listings  such  as  table  2 will  help  identify 
the  elements  concerned. 

Changes  in  operational  status  are  encoded  upon  trailer  cards.  Each  trailer 
card  accommodates  six  status  conditions.  Each  status  condition  includes 
the  status  code  (U,  E,  C,  or  0)  together  with  the  month,  day,  and  time 
(in  hours  and  minutes)  associated  with  the  status  condition.  The  trailer 
card  also  includes  the  element  ID  code  and  the  last  digit  of  the  year 
relating  to  the  status  data. 

To  illustrate  status  coding,  let  us  consider  a 31-day  period  of  observation 
extending  from  July  21  through  August  20,  1979.  Let  it  be  assumed  that  six 
changes  in  status  occurred  for  air-conditioner  serial  No.  30001  during  this 
31-day  period.  This  requires  eight  status  entries,  including  the  status  con- 
ditions existing  at  the  beginning  and  ending  times  of  the  31-day  period.  Two 
trailer  cards  would  be  needed  to  accommodate  these  eight  status  conditions. 
These  trailer  cards  would  appear  as  follows: 
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TABLE  2.  CONFIGURATION  CONTROL  LISTING  OF  RELIABILITY  ELEMENTS  OF  "GLOBAL" 
COLUMN  OF  STATUS  AND  MAINTENANCE  FORM 


Element  Type 


Serial  No. 


DABS  Site  Configuration  Control  Information 


Til  ine 

42 

NAFEC 

Global  A 

Tiline 

41 

NAFEC 

Global  B 

Coupler 

23 

NAFEC 

From 

Global 

A 

To 

Ensemble 

1 

Coupler 

24 

NAFEC 

From 

Global 

A 

To 

Ensemble 

2 

Coupler 

29 

NAFEC 

From 

Global 

A 

To 

Ensemble 

3 

Coupler 

25 

NAFEC 

From 

Global 

A 

To 

Ensemble 

4 

Coupler 

27 

NAFEC 

From 

Global 

A 

To 

Ensemble 

5 

Coupler 

26 

NAFEC 

From 

Global 

A 

To 

Ensemble 

6 

Coupler 

26 

NAFEC 

From 

Global 

A 

To 

Ensemble 

7 

Coupler 

30 

NAFEC 

From 

Global 

A 

To 

Global  B 

Coupler 

32 

NAFEC 

From 

Global 

A 

To 

ATCRBS 

Coupler 

31  . 

NAFEC 

From 

Global 

A 

To 

Comm. 

Coupler 

51 

NAFEC 

From 

Global 

B 

To 

Ensemble 

1 

Coupler 

52 

NAFEC 

From 

Global 

B 

To 

Ensemble 

2 

Coupler 

53 

NAFEC 

From 

Global 

B 

To 

Ensemble 

3 

Coupler 

54 

NAFEC 

From 

Global 

B 

To 

Ensemble 

4 

Coupler 

55 

NAFEC 

From 

Global 

B 

To 

Ensemble 

5 

Coupler 

56 

NAFEC 

From 

Global 

B 

To 

Ensemble 

6 

Coupler 

57 

NAFEC 

From 

Global 

B 

To 

Ensemble 

7 

Coupler 

58 

NAFEC 

From 

Global 

B 

To 

Global  A 

Coupler 

59 

NAFEC 

From 

Global 

B 

To 

ATCRBS 

Coupler 

60 

NAFEC 

Frotu 

Global 

« 

To 

Comm. 

Interface  PCB 

23 

NAFEC 

From 

Global 

4 

To 

DABS  Proc 

• 

Interface  PCB 

25 

• 

NAFEC 

From 

Global 

A 

To 

MCU 

Interface  PCB 

27 

NAFEC 

From 

Global 

A 

To 

Perf.  Mon 

• 

Interface  PCB 

26 

NAFEC 

From 

Global 

A 

To 

AZSTU 

M.M.  Switch 

100 

NAFEC 

Global  A 

M.M.  Serial 

100 

NAFEC 

Global  A 

M.M.  Switch 

101 

NAFEC 

Global  A 

M.M.  Serial 

101 

NAFEC 

Global  A 

M.M.  Switch 

102 

NAFEC 

Global  B 

M.M.  Serial 

102 

NAFEC 

Global  B 

1 76k  Memory 

70 

NAFEC 

Global  A 

17 6k  Memory 

71 

NAFEC 

Global  A 

176k  Memory 

72 

NAFEC 

Global  A 

176k  Memory 

73 

NAFEC 

Global  A 

176k  memory 

74 

NAFEC 

Global  B 

176k  Memory 

75 

NAFEC 

Global  B 

20 


— — 


ID 

Yr 

1st  Status 

2nd  Status 

3rd  Status 

4th  Status 

5th  Status 

6th 

Status 

A 1 

9 

U 7210000 

0 7301125 

U 7301145 

E 7312200 

U 7312210 

0 8 

41810 

A 1 

9 

U 8 42400 

U 8202400 

The  A 1 is  the  element  ID  for  air-conditioner  serial  No.  50001.  The  "9"  is 
the  last  digit  of  the  year  1979.  These  two  trailer  cards,  preceded  by  the 
corresponding  header  card,  would  be  applied  as  inputs  to  the  status  summary 
segment  of  the  ARAP,  along  with  similar  groups  of  status  trailer  cards  for  the 
remaining  elements  in  the  system.  Each  set  of  trailer  cards  must  be  preceded 
by  the  header  card  for  the  element  concerned. 

There  are  two  parts  to  the  element  status  time  summary  printouts.  Part  1 
shows  the  time  each  status  condition  occurred  for  each  element  and  the  time 

[interval  spent  in  each  status  condition.  Part  2 is  a summary  of  the  total 
time  spent  in  each  of  the  four  status  codes  by  each  individual  element  and 
each  of  the  20  element  types. 

A sample  of  the  part  1 status  time  summary  is  shown  in  table  3.  This  shows 
the  eight  status  times  of  air-conditioner  serial  No.  50001  which  were  encoded 
onto  the  two  status  trailer  cards  as  discussed  in  the  preceding  paragraphs. 
Similar  status  conditions  are  also  shown  for  air-conditioner  No.  50002  (the 
second  air-conditioner  in  the  I&P  section),  both  link  switches,  and  the 
primary  radar  interface. 

Looking  at  air-conditioner  No.  50001,  the  first  line  reads  7-21-0-0  under 
the  date-time  group.  This  is  0000  hours  of  July  21,  1979,  the  start  of  the 
observation  period,  and  corresponds  to  the  first  status  entry  on  the  first 
trailer  card.  The  unit  was  in  an  operational  or  "U"  condition  until  1125 
hours  of  July  30  (second  status  entry  on  the  first  trailer  card).  At  this 
time,  the  status  of  the  air-conditioner  changed  from  "U"  to  "0."  The  time 
interval  to  this  change  in  status  was,  therefore,  227  hours  and  25  minutes 
and  is  shown  in  table  3 as  the  time  interval  for  the  first  status  condition 
(U).  By  a similar  process,  the  time  interval  for  each  status  condition 
of  each  element  in  the  period  of  observation  is  obtained. 

An  example  of  part  2 of  the  status  time  summary  printout  is  shown  in  tsble  4. 
This  shows  the  total  time  (in  hours  and  fractions)  that  each  of  the  five 
elements  shown  in  table  3 spent  in  each  of  the  four  status  codes,  as  well  as 
the  total  time  spent  in  these  status  codes  by  each  of  the  three  element  types 
represented  by  these  five  elements.  Since  there  are  two  air-conditioners,  two 
link  switches,  and  one  primary  radar  interface  in  the  system,  the  totals  for 
each  of  these  three  element  types  are  shown.  For  example,  the  link  switch 
element  type  showed  a total  "U"  (uptime)  of  1,475  hours,  and  a total  downtime 
"C"  of  1.08  hours. 

HARDWARE  FAILURES.  Each  hardware  failure  will  be  encoded  upon  two  trailer 
cards,  since  the  amount  of  information  associated  with  each  failure  cannot 
be  fitted  upon  one  card.  The  first  trailer  card  will  contain  the  following 
information:  element  ID  code,  element  type  code,  date  and  time  that  the  failure 
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TABLE  3.  ELEMENT  STATUS  TIME  SUMMARY,  PART 
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TABLE  4.  ELEMENT  STATUS  TIME  SUMMARY,  PART  2 


first  occurred,  description  of  the  failure,  time  to  unit  restoration  (downtime), 
offline  repair  time  (if  applicable),  number  of  parts  associated  with  the  main- 
tenance action,  and  a card  indentif ication  number.  The  second  trailer  card 
will  contain  the  element  ID  code;  the  same  card  identification  number  that  was 
assigned  to  the  first  trailer  card;  the  number,  type,  and/or  location  of  the 
part  associated  with  the  maintenance  action;  and  the  disposition  of  the  part, 
such  as  repaired,  replaced,  cleaned,  adjusted,  or  shipped.  The  date  and  month 
that  this  action  took  place  should  also  be  noted.  The  failure  information 
encoded  on  these  two  trailer  cards  is  obtained  from  the  status  and  maintenance 
form.  The  two  trailer  cards  associated  with  each  failure  must  be  preceded  by 
the  associated  header  card  for  processing  by  the  ARAP.  The  header  card  and 
two  trailer  cards  associated  with  the  processor  failure  occurring  at  0413  hours 
(figure  6)  would  appear  as  shown  in  figure  7.  A sample  of  a hardware  failure 
summary  printout  is  shown  in  table  5. 

PART  FAILURES.  Each  part  failure  is  coded  upon  a single  punched  card.  The 
information  to  be  encoded  shall  include  a part  type  code;  number,  type,  and/or 
location  of  the  failed  part;  the  element  type  associated  with  the  failed  part; 
the  DABS  site  number;  a description  of  the  part  failure,  such  as  "defective 
ABC  chip;"  and  a disposition  code  as  follows:  A-repaired,  B-adjusted,  C-cleaned, 
D-thrown  away,  and  E-shipped.  A card  ID  shall  also  be  encoded.  An  example 
of  a part  failure  summary  is  shown  in  table  6. 

REVISED  ARAP.  The  ARAP  was  originally  designed  for  the  7090  system,  contain- 
ing about  20  to  30  discrete  equipment  units.  Each  DABS  sensor  contains  over 
200  reliability  elements.  The  status  changes  of  each  of  these  must  be  encoded 
over  a definite  period  of  observation.  While  many  of  these  elements  will 
require  few  or  no  status  changes  over  the  period  of  observation,  especially 
if  the  system  is  continuously  energized,  still  header  and  trailer  cards  must 
be  coded  for  each  of  these  elements.  As  many  of  the  elements  associated  with 
certain  columns  on  the  status  and  maintenrnce  forms  must  be  identified  through 
the  configuration  control  listings,  this  involves  an  additional  workload, 
particularly  for  status  encoding.  When  encoding  hardware  failures,  a header 
card  must  accompany  the  two  trailer  cards  of  each  hardware  failure,  even 
though  several  different  failures  occur  in  the  same  element.  This  requires 
many  duplicates  of  the  header  cards  to  be  made. 

Attempts  will  be  made  to  streamline  and  simplify  the  ARAP  program  for  DABS 
application.  This  would  mean  that  one  header  card  placed  anywhere  within 
the  data  card  deck  could  be  used  for  the  status  and  all  hardware  failures 
associated  with  any  particular  element.  By  including  the  conf igurat ion 
control  trailer  cards  in  the  revised  ARAP,  the  workload  involved  in  the 
status  encoding  can  be  virtually  reduced  to  the  total  number  of  columns 
on  the  status  and  maintenance  forms  rather  than  encoding  each  of  the  200* 
elements.  This  could  be  accomplished  by  using  a composite  trailer  card  for 
each  column  on  the  maintenance  form.  This  composite  trailer  card  would 
include  all  the  elements  contained  in  that  column.  A status  change  appli- 
cable to  one  element  in  that  column  grouping  could  be  indicated  by  a supple- 
mentary trailer  card  indicating  that  particular  status  condition.  As  an 
example  of  this,  consider  the  GLOBAL  column  of  the  status  and  maintenance 
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B.  FIRST  TRAILER  CARD 


1 

r 

I 

885581-1  MSC  PR  PCB  A177 

REPLACED  7/31 

2 

a 

5 2 

(PART 

(ELEM. 

(AFFECTED  PART 

DISPOSITION 

CODE 

£5 

NUMBER  AND 

AND 

(CARD 

ID) 

LOCATION) 

DATE) 

ID) 

C.  SECOND  TRAILER  CARD 


TABLE  5.  DABS  HARDWARE  FAILURE  SUM4ARY 


TABLE  6.  DABS  PART  FAILURE  SUMMARY 


form.  As  seen  in  table  2,  this  contains  38  elements.  A composite  trailer  card 
would  be  encoded  with  the  overall  status  of  all  38  elements.  Should  one  of 
these  elements;  for  example,  the  Interface  PCB  for  the  DABS  processor  , fail 
on  a certain  date,  a supplementary  trailer  card  would  be  made  out  for  this 
element  indicating  its  failed  atatua  for  the  appropriate  time  on  that  day. 

SUBSEQUENT  PROCESSING. 

GENERAL.  Having  obtained  the  total  uptimes,  downtimes,  and  numbers  of  fail- 
ures for  each  element  and  element  type  from  the  ARAP  printouts,  these  data 
will  then  be  analysed  for  inordinate  or  unreasonable  values.  This  analysis 
will  include  a statistical  test  which  will  test  the  assumption  that  each 
element  type  exhibits  a constant  failure  and  repair  rate.  This  is  done 
because  the  mathematical  models  which  are  used  to  compute  the  element  type, 
section,  and  system  failure  rates  assume  a constant  failure  and  repair  rate 
(exponential  distribution)  for  each  element  type.  This  test,  known  as  the 
Kolmogorov-Smirnov  goodness-of-f it  test,  has  been  programed  as  have  other 
statistical  tests  which  will  be  used  to  test  the  assumption  that  all  elements 
within  each  element  type  are  from  the  same  statistical  population. 

The  uncorrected  total  uptimes  and  downtimes  for  each  element  type  are  obtained 
from  the  "TOT  U"  and  "TOT  C"  columns,  respectively,  of  the  element  status 
time  summary  part  2 (table  4),  while  the  uncorrected  number  of  failures  is 
obtained  from  the  hardware  failure  summary  of  table  3.  After  removing  data 
which  do  not  meet  the  required  statistical  criteria,  the  corrected  value  will 
then  be  applied  to  the  calculator,  where  element  type  section  and  system 
failure  rates  and  MDT's  will  be  computed  and  printed  out.  The  HTBF  for  the 
entire  DABS  system  will  also  be  calculated  and  printed  out.  These  values  will 
be  printed  on  a summary  form  similar  to  that  shown  in  table  7 for  the  single- 
channel sensor.  Note  that  the  element  type  failure  rates  and  MDT's  shown  in 
table  7 are  hypothetical  values  used  for  illustrative  purposes  only.  They  are 
actually  the  predicted  values  used  by  TI  in  their  reliability  model  to  calcu- 
late the  predicted  MTBF  as  required  by  the  ER.  These  predicted  values  will  be 
used  in  this  paper  in  the  mathematical  models  to  follow  for  illustrative 
purposes  only.  They  are  not  to  be  construed  as  actually  measured  values. 

In  using  the  summary  form  of  table  7,  the  site,  beginning  and  ending  dates 
of  the  observation  period,  and  maximum  time  to  replacement  of  failed  PCB's 
(next  convenient  time  to  effect  repairs)  are  entered  manually.  The  remainder 
of  the  headings  are  printed  automatically,  then  the  calculator  stops  for 
manual  entry  of  element  type  data. 

ELEMENT  TYPE  SUMMARY.  In  generating  the  element  type  summary,  the  calculator 
automatically  prints  the  name  of  the  element  type  being  processed,  then  stops. 
The  corrected  values  of  total  uptime,  number  of  failures,  snd  total  downtime 
for  that  element  type  are  then  each  entered  in  turn.  From  these  three  entries, 
the  calculator  computes  the  failure  rate  per  million  hours  and  the  MDT  for  the 
element  type  concerned.  The  following  formulas  are  used  to  generate  these 
quantities : 


TABLE  7.  DABS  RELIABILITY  AND  MAINTAINABILITY  SUMMARIES 


SITE:  NAFEC  FROM:  January  1,  1979  TO:  January  31,  1979 

MAXIMUM  TIME  TO  REPLACEMENT  OF  FAILED  PCS' a 720  Houre 


1 . ELEMENT  TYPE  SUMMARY 


ELEMENT 

TOTAL 

UPTIME 

NO.  OF 

TOTAL 

DOWNTIME 

FAILURES 

PER  MILLION 

MEAN 

DOWNTIME 

TYPE 

(HOURS) 

FAILURES 

(HOURS) 

HOURS 

(HOURS) 

1.  AIR-CONDITIONERS 

14143 

1 

2.0 

70.706 

2.0 

2.  ANTENNA  CROUP 

86207 

1 

2.0 

11.600 

2.0 

3.  TRANSMITTER 

4605 

1 

2.0 

217.155 

2.0 

4.  RECEIVER 

4278 

1 

2.0 

233.754 

2.0 

5.  PROCESSOR 

7673 

1 

2.0 

130.327 

2.0 

6.  WWVB  RECEIVER 

10000 

0 

0 

0 

0 

7.  TILINES 

500000 

1 

2.0 

2.000 

2.0 

8.  COUPLERS 

116279 

1 

2.0 

8.600 

2.0 

9.  INTERFACE  PCB'a 

44964 

1 

2.0 

22.240 

2.0 

10.  5- VOLT  P.S. 

3592 

1 

2.0 

2 78.  396 

2.0 

11.  12- VOLT  P.S. 

3682 

1 

2.0 

271.592 

2.0 

12.  DABS  COMPUTERS 

4666 

1 

2.0 

214.316 

2.0 

1 3.  176-K  MEMORY 

7974 

1 

2.0 

125.408 

2.0 

14.  MEM.  SWITCH  ELEMENT 

508906 

2 

4.0 

3.930 

2.0 

IS.  MEM.  SERIAL  ELEMENT 

925926 

1 

2.0 

1.080 

2.0 

16.  COMM.  I/F  - SERIAL 

899  28 

1 

2.0 

11.120 

2.0 

1 7.  COMM.  I/F  - CHANNEL 

179856 

1 

2.0 

5.560 

2.0 

18.  MODEMS 

15000 

1 

2.0 

66.670 

2.0 

19.  LINK  SWITCHES 

317460 

1 

2.0 

3.150 

2.0 

20.  PRI.  RADAR  I/F 

297619 

1 

2.0 

3.  360 

2.0 

2.  SECTION  SUMMARY  - SINGLE  CHANNEL 

A.  INTERROGATOR  AND  PROCESSOR  SECTION 

592.856 

2.0 

B.  COMPUTER  SECTION 

1)  AT CRB S GROUP 

76.508 

1.3 

2)  ENSEMBLE  CROUP 

218.590 

1.0 

3)  GLOBAL  MEMORY  GROUP 

159.684 

1.6 

TOTAL  COMPUTER  SECTION 

454.782 

1.3 

C.  COMMUNICATIONS  SECTION 

1)  COM*.  CONSOLE  (INCLUDING  COMPUTERS) 

143.310 

1.0 

2)  COm.  I/F  CONSOLE  (INCLUDING  MODEMS) 

100.973 

1.3 

TOTAL  COmUNI CATIONS  SECTION 

244.283 

1.1 

3.  SYSTEM  SUMMARY  - SINCLE  CHANNEL 

1291.921 

1.7 

SYSTEM  MTBF  774  hours 


■ 


■ 


Failures  per  million  hours  (A)  _ No.  of  Failures  x 106 

Total  Uptime 

MDT  - Total  Downtime 

No.  of  Failures 

For  the  air-conditioners,  these  values  are: 

Failures  per  million  hours  (A)  » 1 x 10**  « 7n.7nA 

14143 

MDT  - lli  - 2 hours 

1 

The  above  procedure  is  repeated  for  each  of  the  element  types.  Note  again 
that  the  above  values  in  table  7 are  hypothetical — they  were  selected  in  order 
that  the  resulting  element  type  failure  rates  and  MDT's  correspond  to  Tl's 
predicted  values. 

SINGLE-CHANNEL  SECTION  ANALYSIS.  From  the  element  type  summary  information 
entered  by  the  operator,  the  calculator  will  automatically  compute  and  print 
out  the  failure  rates  and  MDT's  for  each  of  the  three  sections  of  the  single- 
channel sensors,  including  the  three  computer  section  groups  and  the  two 
communications  section  consoles.  This  is  all  done  automatically  without  any 
further  manual  intervention.  The  mathematical  models  applicable  to  each  of 
the  three  sections  are  described  below. 

Interrogator  and  Processor  Section.  The  I&P  section  reliability  model 
(figure  1)  is  the  simplest  of  the  three  sections.  It  consists  of  a (^)  group 
of  air-conditioners  in  series  with  a string  of  five  series  elements;  i.e., 
antenna  group,  transmitter,  receiver,  processor,  and  WWVB  receiver. 

The  failure  rate  for  a string  of  series  elements  or  units  is  simply 
the  sum  of  the  failure  rates  of  the  individual  units  or  boxes  comprising  the 
string.  Thus,  in  figure  1,  the  (^)  air-conditioner  block  must  first  be  con- 
verted to  a simple  series  block  with  equivalent  failure  rates  and  MDT's  corre- 
sponding to  a simultaneous  failure  of  both  air-conditioners.  In  other  words, 
the  hardware  failures  occurring  in  the  individual  air-conditioners  must  be 
converted  into  equivalent  functional  failures  applicable  to  the  (2)  redun- 
dant combination.  This  is  done  by  use  of  the  Einhorn  formulas  (Einhorn,  E.  J., 
"Reliability  Predictions  for  Repairable  Redundant  Systems,"  Proceedings  of 
the  IEEE,  p.  312  - February  1963)  which  are  based  upon  the  assumption  (1)  that 
both  uptimes  and  downtimes  for  each  element  in  the  redundant  combination 
have  exponential  distribution^  and  (2)  they  are  independent  of  the  conditions 
of  the  other  elements.  These  conditions  apply  in  the  case  of  the  two  air- 
conditioners,  so  the  formulas  for  a redundant  combination  of  two  identical 
elements  are: 
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* EFF  “ 2A  2 D 

and  Deff  * D/2  where 

A eff  ” effective  failure  rate  of  redundant  combination  in  hours 

dEFF  “ effective  MDT  of  redundant  combination  in  hours 

A - failure  rate  of  one  of  the  identical  elements  comprising 
the  redundant  combination,  in  hours 

and  D ■ MDT,  in  hours,  of  one  of  the  identical  elements  comprising 

the  redundant  combination 

Applying  these  formulas  to  the  (2)  air-conditioners  block,  we  get: 

A eff  “ 2 x (70.706  x 10-^)2  x 2 * .02  x 10“^  failures  per  hour 

or  0.02  failures  per 
million  hours 

Deff  “ 2.0/2  ■ 1 hour 

Thus,  the  (2)  air-conditioner  block  has  been  converted  into  an  equiv- 
alent series  block  with  an  effective  failure  rate  of  0.02  failures  per  million 
hours  and  an  effective  MDT  of  1 hour.  The  effective  failure  rate  of  the  I4P 
section  is  the  sum  of  the  failure  rates  of  all  six  series  blocks.  This  is: 

Air-Conditioners  (equivalent  series) 

Antenna  Croup 
Transmitter 
Receiver 
Processor 
WWVB  Receiver 

Total  A jjp  or  AA  - 

The  effective  MDT  of  the  series  string  is  given  by: 

MDTeff  * £ (A  x MDT)  / A£ff  where  A and  MDT  are  the  failure  rates  and 
MDT's,  respectively,  of  each  unit  in  the  series  string,  and  A EFf  is  the 
effective  failure  rate  of  the  series  string.  The  effective  MDT  of  the  l&P 
section  is  then: 

- (0.02  x 1)  » (11.6  x 2)  + (217.16  x 2)  ♦ (233.75  x 2)  ♦ (130.33  x 2) 
592.86 

■ 1.9832  hours  or  2.0  hours  (rounded  to  nearest  tenth) 
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A 


0.02 

11.600 

217.160 

233.750 

130.330 

0.00 

592.860  failures  per 
million  hours 


L 





Computer  Section.  The  computer  section  reliability  model,  shown  in 
figure  2,  consists  of  four  groups;  the  ATCRBS  group,  the  ensemble  group,  and 
global  memories  A and  B.  Since  the  two  global  memories  are  similar  except 
for  two  extra  176k  memory  strings  and  four  interface  PCB's  plugged  into  the 
global  A Tiline,  they  will  be  combined  into  one  global  memory  group  for  the 
purposes  of  this  summary. 


Figure  8 shows  the  DABS  computer  section  in  somewhat  more  detail  than  the 
reliability  model  of  figure  2.  Note  the  five  coupler  pairs  so  marked  on 
figure  8.  These  coupler  pairs  are  the  means  by  which  data  are  transferred 
between  the  ATCKBS  Tiline,  both  global  Tilines,  and  the  communications  Tiline. 
Should  an  individual  coupler  of  one  of  these  five  pairs  fail,  data  can  still  be 
properly  transferred  by  means  of  the  other  four  pairs;  hence,  this  is  a (5) 
redundant  combination.  Since  the  ATCRBS  Tiline,  each  global  Tiline,  and  the 
communications  Tiline  each  contains  two  or  more  members  of  these  coupler  pairs, 
the  effective  failure  rate  and  MDT  of  the  (^)  redundant  combination  must  be 
computed  and  properly  apportioned  among  these  Tilines. 

Since  these  couplers  are  plugged  into  Tilines  which  can  only  be  deener- 
gized during  scheduled  maintenance  periods,  a failed  coupler  must  be  left 
plugged  into  its  Tiline  until  the  next  preventive  maintenance  (PM)  period 
occurs,  which  is  720  hours  under  worst-case  conditions.  The  procedure  used  is 
a state  diagram  technique,  which  is  a generalization  of  the  Einhorn  method. 
Essentially,  this  consists  of  ascertaining  all  possible  states  in  which  the 
redundant  group  will  operate  and  computing  the  probability  of  the  redundant 
group  being  in  that  state  for  the  worst  case  time  period  (720  hours).  The  prob- 
ability associated  with  each  state  is  then  multiplied  by  the  combined  failure 
rates  of  the  number  of  units  which,  if  any  one  were  to  fail,  would  cause  com- 
plete failure  of  the  redundant  group;  hence,  system  failure.  The  effective 
failure  rate  of  the  redundant  group  is  equal  to  the  sum  of  these  products 
divided  by  the  sum  of  the  state  probabilities. 

This  procedure  is  best  illustrated  by  the  actual  state  diagram  for  the 
(^)  redundant  coupler  pairs,  shown  in  table  8. 


TABLE  8.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  OF 

(?)  REDUNDANT  COUPLER  PAIR  COMBINATION 
4 


Conf ig- 
State  uration 

Probability 

Failure  Mode  Information 

Formula 

Numerical 

Value 

\ 

Failure 

Rate 

Prob.  x 
Failure 

Rate 

‘ BBBBB 

BS9I 

P5». 93995808 

- 

- 

- 

^ BBBBB 

P4-Ue~u 

P4-. 0582022 

■3 

6.88xl0-5 

A.0043xl0_b 

Total 

.99816029 

4.0043xl0"6 

f 


i 
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FIGURE  8.  DABS  COMPUTER  SECTION 


In  state  1,  all  five  coupler  pair*  are  operational.  The  probability  of 
all  five  coupler  pairs  still  being  operational  at  the  end  of  720  hours  (30 
days)  is  expressed  by  the  equation  P5  ■ e-**,  where  U " N * CT.  N is  the  number 


of  coupler  pairs,  in  this  case,  five. 


is  the  failure  rate  of  one  coupler 


pair,  which,  taken  from  line  8 of  the  element  type  summary  (table  7),  is  equal 
to  2x8.6(10-^)  or  17.2x10“^  failures  per  hour.  T is  the  time  (720  hours); 
therefore,  the  value  of  U * 5x17.2  (10“^)x720  ■ .06192.  P5  then  equals 

e-. 06192,  or  .93995808. 

A failure  of  a coupler  in  one  of  the  coupler  pairs  would  not  fail  the 
entire  system,  since  four  coupler  pairs  are  still  left  and  only  four  are 
required.  Such  a failure  would  put  the  redundant  group  in  state  2.  The  prob- 
ability of  this  state,  exactly  one  failed  coupler  pair  during  the  720-hour  per- 
iod, is  represented  by  the  equation  P4  " Ue-^,  which  is  equal  to  .0582022.  The 
remaining  four  operational  coupler  pairs  can  be  considered  a series  string 
which,  should  any  coupler  fail,  would  cause  system  outage,  since  only  three  of 
the  required  four  pairs  would  remain  operational.  The  combined  failure  rate  of 
this  string  is  4x\c,  which  is  6.88x10“*.  The  product  of  this  state  failure  rate 
and  the  state  probability  is  .0582022x6.88  (10“^)  “ 4.0043  (10-^).  The  effec- 
tive failure  rate  for  the  (5)  combination  is  equal  to  the  sum  of  the  products 
of  state  probabilities  and  failure  rates  divided  by  the  Bum  of  the  state  prob- 
abilities. Thus,  v kfk  ■ 4.0043  (10“6)  - 4.012  (10-^)  failures  per  hour. 

.99816029 

For  calculating  the  effective  MDT  of  the  (|)  redundant  coupler  combina- 
tion, the  actual  MDT  of  2 hours,  taken  from  table  7,  will  be  used,  since  this 
reflects  the  time  that  actual  maintenance  effort  was  directed  toward  isolating 
the  defective  coupler  and  replacing  it.  The  effective  MDT  is  obtained  by 
tinhorn' s equation  for  a (^)  redundant  combination: 


dEFF  “ 


n - r ♦ 1 


D,  where  n ■ number  of  available 

2 


units  (5)  and  r * number  of  required  units  (4).  Then  Dgyp  “ 2.0/2  " 1 hour. 

The  effective  MDT  for  the  (^)  coupler  pair  combination  can  also  be  ob- 
tained by  means  of  the  state  diagram;  however,  since  the  conditions  of  indepen- 
dent uptimes  and  downtimes  prevail  in  the  MDT  situation,  the  simpler  Einhorn 
equation  is  used.  However,  in  the  case  of  more  complex  subsystems  such  as 
the  ensemble  group  where  the  conditions  of  independent  uptimes  and  downtimes 
do  not  exist,  the  state  diagram  method  must  be  used  for  both  failure  rate  and 
MDT  determination.  To  illustrate  the  use  of  the  state  diagram  for  MDT  deter- 
mination, the  MDT  of  the  (^)  coupler  pair  combination  will  be  determined 
by  this  method  also.  This  is  shown  in  table  9. 


; 
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TABLE  9.  STATE  DIAGRAM  FOR  EQUIVALENT  MDT  OF  (|)  COUPLER  PAIR  COMBINATION 


State 

Configuration 

Probability 

Failure  Mode  Information 

Formula 

Numerical 

Value 

1 

Failure 

Rate 

Prob.  x 
Failure 

Rate 

1 

BBBBS 

■ 

.9998280177 

1 

j | 

2 

BBBBB 

4 

5pq 

.0001719704 

6.88xl0-5 

1.183156494 

xlO-8 

Total 

.9999999881 

■ 

m 

1.183156494 

xlO"8 

MD1’  = 1 -L  State  Probabilities 

E (State  Probabilities  x State  Failure  Rates) 

= 1 - .9999999881  = 1.19  x 10~8 

1.183156494  x 10-8  1.183156494  x 10-8 

= 1.006  hours,  or  1.0  hour  rounded  to  tenths 

In  the  above  diagram,  p equals  the  probability  of  a coupler  pair  being 
operational  at  any  time.  This  probability  can  be  expressed  by  p ■ _JL.* 
where  U and  D are  the  MTBF  and  MDT,  respectively,  of  an  individual  U+D 
coupler  pair.  As  the  coupler  pair  can  be  considered  a series  string  of  two 
identical  couplers,  y.  1 ■ 58139.535  hours;  while  D,  the  MDT  of 

2 x 8.6  (10-6) 

a single  coupler,  is  2 hour9.  The  value  of  p,  then,  is  .9999656012  while  q, 
the  probability  of  a coupler  pair  being  in  a failed  state  at  any  given  time, 
is  1 - p,  or  3.43988  x 10~5. 

ATCRBS  Group.  As  seen  in  figure  2,  the  ATCRBS  group  consists  of 
an  ATCRBS  Tiline  containing  a (2)  computer  combination,  all  of  which  is 
energized  by  a (3)  triplex  5-volt  power  supply.  The  effective  failure  rates 
and  MDT' s of  each  of  these  three  blocks  shown  in  figure  2 must  be  calculated. 


ATCRBS  Tiline.  The  ATCRBS  Tiline  consists  of  1 Tiline  (element 
type  7 of  table  7)  , 1 ATCRBS  Interface  PCB  (element  type  9 of  table  7),  and 
2 of  the  10  individual  couplers  comprising  the  0)  coupler-pair  combination. 
For  reliability  modeling  purposes,  the  ATCRBS  Tiline  can  be  considered  as  a 
series  string  containing  one  Tiline,  one  interface  PCB,  and  one-fifth  of  the 
(5)  coupler  pair  combination.  The  proportion  of  the  effective  failure 
rate  of  the  (?)  coupler  pair  combination  assigned  to  the  ATCRBS  Tiline  is 
then  0.2  of  the  calculated  failure  rate  (4.012  failures  per  million  hours), 
while  the  entire  equivalent  MDT  of  the  (5)  coupler  pair  combination 
would  be  assigned  to  each  apportioned  part. 


Bla 


MDT 


Bla 


^Tiline  + ^ I/F  ♦ 0.2  x * (^)  coupler  pairs 

25.042  failures  per  million  hours 


* ( x Tiline  * MDT  Tiline)  ♦ < X I/F  * MDT  I/F) 
= 1.968  hours 


♦ 


0.2  X (5)  x MDT 

_£l_ 


3 

(2)  + 5-Volt  triplex  power  supply.  The  effective  failure  rate  and 
MDT  for  the  (^)  5-volt  triplex  power  supply  can  be  obtained  by  use  of 
Einhorn's  equations.  These  are: 

X EFF  = 6 X ^ d and  MDTgpj1  m p 

1 


where  X and  D are  the  failure  rate  and  MDT,  respectively,  of  a single  5-volt 
power  supply  (element  type  10  in  table  7).  These  values  are: 

* Bib  = 0.93  failures  per  million  hours 


MDTBlb  « D/2  ■=  1 hour 


(2) 

1 ATCRBS  computer  combination, 
the  ATCRBS  Tiline,  they  are  not  repaired 
720-hour  state  diagram  technique  is  used 
failure  rate.  This  is  shown  in  table  10. 


As  these  computers  are  plugged  into 
immediately  upon  failure;  hence,  the 
for  computation  of  the  effective 


n 


j 
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TABLE  10.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  OF  (2)  ATCRBS 
COMPUTER  COMBINATION  1 


Probability  Failure  Mode  Information 


Numerical  Failure 

Formula  Value  X Rate 


| | | -"  | P2-e-u  .73448038 


Pj-  Ue-U  .22665477 


.<>6113515 


a 

R 

B 

i 


214.3xl0~6  48.572xl0~6 


48.572xl0-b 


where  U - N X T • .308592 


Then  ^ bic  - 48.572(10”b)  ■ 50.536  failures  per  million  hours 

.96113515 

The  Einhorn  equation  is  used  for  finding  the  effective  MDT.  This  is: 
MDTBic  - D/2  - 1 hour 

ATCRBS  group  summation  The  effective  failure  rate  and  MDT  of  the 
ATCRBS  group  are  as  follows: 

X B1  " X Bla  ♦ x Bib  ♦ X Blc 


76.508  failures  per  million  hours 


mdtBi- 


" 1.3  hours  (rounded  to  nearest  tenth) 

Ensemble  Group.  The  ensemble  group  consists  of  seven  ensemble 
Ti  lines,  each  of  which  contains  four  computers.  Two  additional  computers  used 
with  the  ensemble  group  are  physically  attached  to  the  ATCRBS  Tiline.  This 
provides  a total  of  30  computers  in  the  ensemble  group,  of  which  26  must  be 
operational  in  order  for  the  system  to  function.  Normally,  these  will  be 
provided  by  26  of  the  30  computers  contained  in  the  ensemble  group.  Hence, 
loss  of  up  to  four  computers  can  be  sustained  by  the  ensemble  group  with  no 
impact  on  system  operation. 


V 


Should  the  ensemble  group  sustain  the  loss  of  five  computers;  i.e., 
one  complete  ensemble  plus  one  additional  computer,  there  would  now  be  only 
25  computers  available  in  the  ensemble  group — 1 less  than  the  26  required  to 
maintain  the  system  operational.  In  this  case,  the  ensemble  group  will  preempt 
the  spare  communications  computer  shown  in  figure  4 as  the  (3)  DABS  computers 
block,  provided  the  remaining  two  communications  computers  are  functioning. 
Thus,  the  spare  communications  computer  can  perform  a double  function — either 
as  a redundant  communications  (surveillance  or  CIDIN)  computer  or  as  a 
redundant  ensemble  group  computer. 

Since  the  (~9)  ensemble  group  and  the  (^)  communications  computer 
are  not  independent,  due  to  the  dual  function  of  the  spare  communications 
computer,  the  effective  failure  rate  of  the  combined  ensemble  group  and  (x) 
communications  computer  combinations  must  be  determined  using  the  state  dia- 
gram technique.  The  combined  effective  failure  rate  is  then  apportioned  to 
the  ensemble  group  and  the  communications  computer  combination  in  accordance 
with  the  appropriate  states  of  the  state  diagrams.  This  procedure,  which  is 
worked  out  in  detail  in  appendix  A,  results  in  an  effective  failure  rate  for 
the  ensemble  group  A g2  of  218.59  failures  per  million  hours. 

The  state  diagram  technique  is  also  used  for  the  effective  MDT  deter- 
mination of  the  ensemble  group  and  communications  computers  combination.  This 
procedure,  worked  out  in  detail  in  appendix  A,  results  in  an  effective  MDT  of 
1 hour  for  the  ensemble  group  and  communications  computer  combination.  This 
effective  MDT  will  be  used  for  both,  the  ensemble  group  and  the  (^)  commu- 
nications computers  combination.  Thus,  MDTg2  “ 1 hour. 

Global  Memory  Group.  The  global  memory  group  consists  of  the  seven 
boxes  (Global  A and  B)  in  the  lower  half  of  figure  2. 


Global  Tiline  A.  Global  Tiline  A contains  one  Tiline  and  four 
interface  PC B ' s . As  seen  in  figure  8,  3 of  the  10  couplers  in  the  (5) 
redundant  coupler  pairs  are  contained  in  the  Tiline;  therefore,  0.3  of  the 
effective  failure  rate  of  the  (^)  coupler  group  must  be  apportioned  to  Global 
Tiline  A . Hence , 


X B3a 


MlH'B3a 


x TI  ♦ 4 X I/F  + 0.3  X (£) 


92.1636  failures  per  million  hours. 

( A TI  x MDTT1)  + ( 4 A 1/p  x mdt1/F)+  |(0.3  x (%)  x MDT  (j^) )] 


1.9869  hours 
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Global  Tiline  B.  Global  Tiline  B is  identical  to  global  Tiline  A 
except  that  it  doesn't  contain  the  four  interface  PCB's. 

Then : 


X (J> 


x B3b  - x T1  ♦ 0.3 

■ 3.2036  failures  per  million  hours. 

MDTB3b  - ( A ti  x MDTn)  + [(0.3  x (*)  x MDT  (*))] 


B3b 


MDTB3b 


1.6243  hours. 


(3)  Five-volt  triplex  power  supply.  As  computed  for  A Bjb  on 


page  36, 


B3c 


MDtb3c 


0.93  failures  per  million  hours 


1 hour 


(?)  Memory  string  sets.  Global  Tiline  A contains  two  sets  of  176k 
memory  strings,  while  global  Tiline  B contains  one  such  set.  Each  set  con- 
sists of  two  176k  memory  strings  of  which  one  is  redundant,  plus  one  series 
and  one  switching  memory  monitor  element.  Figure  9 is  a reliability  diagram 
showing  the  functional  arrangement  of  these  units  within  each  of  these  three 
sets.  There  is  actually  only  one  switching  element,  and  it  is  needed  only  when 
switching  to  a redundant  176k  memory  string.  Functionally,  half  the  failure 
rate  of  the  switching  element  can  be  apportioned  to  each  of  the  two  memory 
strings.  The  effective  failure  rate  of  each  of  the  two  redundant  branches 
is  then: 


BR 


X 176k  + _1_  X Switch 

2 


“ 127.365  failures  per  million  hours 
The  effective  MDT  of  each  branch  is  then 


MDTBK 


( X176k  x MDT  176k)  ♦ (^  x x Switch  x Ml^Switch) 


BR 


2 hours 
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FIGURE  9.  RELIABILITY  DIAGRAM  OF  MEMORY  AND  MONITOR  ELEMENTS  IN  EACH  MEMORY  STRING  SET 


As  these  memory  strings  are  attached  to  the  critical  global  Tilines, 
the  720-hour  maintenance  philosophy  applies;  hence,  the  state  diagram  technique 
will  be  used  to  determine  the  effective  failure  rate  ( A (^))  of  the  two 
redundant  branches.  This  is  shown  in  table  11. 


TABLE  11.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  OF  GLOBAL 
MEMORY  REDUNDANT  BRANCHES 


Probability 

Failure  Node  Information  j 

Numerical 

Failure 

Prob.  x Fail.  1 

State 

Configuration 

Formula 

Value 

A 

Rate 

Rate  | 

1 

cm 

C=3 

P2-e-u 

P2-. 83243045 

- 

- 

- 

Px-. 15267241 

aBR 

127.365(10-6) 

19. 445 (10-6) 

□ZD 

Total 

.98510286 

19.445 (10-6) 

Where  U • .1834056 

Then  A(2)  - 19.445  - 19.739  failures/106  hours 

.98510286 

The  Einhorn  equation  is  used  to  determine  the  effective  MDT  of  the 
two  redundant  branches.  This  is: 


MDT(2) 


MDT 


1 n - r + 1 


MDT  ( 2 ) * 1 hour 


BN  where  n - 2 (available  units)  and 


r - 1 (required  units) 
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With  the  serial  element  added  to  the  (£)  branch,  the  effective 
failure  rate  and  MDT  of  one  memory  string  set  becomes: 


SET  - X (|)  + x Serial 

- 20.819  failures  per  million  hours 


MDT 


SET 


i ♦ A < 

* B3d 


X (2)  x MDT  (2)  |+|  A Serial  x MDTSe 


1.0519  hour 


rialj 


Since  there  is  a total  of  three  memory  string  sets  in  global  A and 
B Tillnes,  then 


*B3d 

MDT 


3x  * 


B3d 


SET 
MDT 


SET 


» 62.457  failures  per  million  hours 

1.0519  hour 


Global  memory  group  summation.  The  effective  failure  rate  and  MDT 
of  the  global  memory  group  are  as  follows: 

1 B3  * *B3a  + *B3b  + 2 Ab3c  + *B3d 

= 159.684  failures  per  million  hours 

mdtB3  " (XB3a  x MD^a)  + (XB3b  x MDTB3b)+(2  X B3c  x mdtB3c)  * (XB3d  x MDTB3d) 


kB3 


1.6  hours 


Computer  Section  Summation.  The  effective  failure  rate  and  MDT 
of  the  computer  section  are  as  follows: 


1 B 


XB1 


*B2 


*B3 


MDTt 


454.782  failures  per  million  hours 

(*B1  x MDTB1)  + (XB2  x t'1DTB2)  + (XB3  x MDTB3) 


* 1.3  hours 

Communications  section.  The  communications  section  reliability  model, 
shown  in  figure  4,  consists  of  four  groups:  the  communications  group,  the 
communications  interface  group,  and  the  surveillance  and  CIDIN  groups.  The 
communications  group  includes  the  three  computers  (surveillance,  CIDIN,  and 
spare)  which  are  located  within  the  communications  Tiline.  All  this  is  con- 
tained in  one  equipment  rack  (the  communications  console)  and  is  listed  as  such 
in  the  summary  printout  (table  7). 
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The  remaining  three  groups  consist  of  those  elements  In  the  data  path 
between  the  communications  interface  Tiline  and  the  external  equipments  with 
which  the  DABS  communicates.  The  communications  interface  Tiline,  which 
contains  the  communications  interface  PCB’s  for  both  the  CIDIN  and  surveillance 
groups,  is  contained  in  one  equipment  rack  (the  communications  interface 
console).  The  modems  and  link  switches  which  transfer  the  data  to  and  from 
the  external  equipments  are  located  in  two  additional  equipment  racks.  These 
remaining  three  groups  are  therefore  listed  as  a single  entry  in  table  7 
(.communications  I/F  console  including  modems). 


The  communications  Tiline  and  communications  interface  Tiline  are 
connected  by  two  coupler  pairs,  one  of  which  is  redundant.  Since  both  of 
these  Tillnes  are  critical  to  system  operation,  the  720-hour  maintenance 
philosophy  applies  in  determining  the  equivalent  failure  rate  of  this  (2) 
redundant  coupler  pair  combination;  therefore,  the  state  diagram  technique  is 
used.  This  is  shown  in  table  12. 


TABLE  12.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION 
OF  (2)  REDUNDANT  COUPLER  PAIR  COMBINATION 


j Failure  Mode  Information  1 

State 

Configuration 

Formula 

Numerical 

Value 

n 

Failure 

Rate 

Prob.  x Fail. 
Rate 

■■■■■I 

1 

mo 

CO 

P2»e-U 

.97553621 

i 

- 

- 

■Cl 

cm 

Pl-Ue-u 

.02416208 

B 

1.72(10-5) 

.41559(10-6) 

Total 

.99969829 

.41559(10-6) 

Where  U “0.024768  and 
\c  “ 1.72xlO-5 

Coupler)  = 0.416  failures  per  million  hours 

The  MDT  determined  by  the  Einhorn  equation  is: 

MDT(2)  « ])  « 1 hour 

1 2 

This  equivalent  failure  rate  is  apportioned  equally  between  the  communi- 
st Ions  Tiline  and  the  communications  interface  Tiline. 


Conmuni  cat  ions  Comole.  Thia  includes  the  communications  Tiline, 
together  with  its  5-volt  triplex  power  supply  and  the  three  computers  which  it 
contains.  As  one  of  these  computers  is  a spare,  the  computers  comprise  a (3) 
redundant  combination. 

Communications  Tiline.  The  comaunicat ions  Tiline  contains  2 of  the 
10  individual  couplers  comprising  the  (•?)  coupler  pair  combination  and  2 of 
the  4 couplers  ccxnpriaing  the  (|)  coupler  pair  combination. 

Therefore , 


MDCcu 

AClb 

MDCclb 


* (atixMDTtu  + 

* 1.6643  hours 
Triplex  power  supply 


per  million  per  mil] 

r 

lion  hours 

r i 

[o  . 2 A (4 ) x MDT  (!) 

♦ lo.5  (1)  xMDT  d)\ 

As  computed  for  A Bib  on  page  36, 


.93  failures  per  million  hours 
1 hour 


(3)  Computer  combination.  This  contains  the  redundant  computer  that 
can  serve  as  a spare  for  either  the  ensemble  group  or  the  surveillance  or  C1DIN 
computers  as  required.  As  worked  out  in  appendix  A,  the  effective  failure  rates 
(X  cic^  and  MDTcic  are,  respectively: 

ACle  = 139.37  failures  per  million  hours 

and  MDTclc  - 1 hour 

Communications  console  summation.  The  effective  failure  rate  and 
MDT  of  the  communications  console  portion  of  the  communications  section  are 
as  follows: 


- 143.310  failures  per  million  hours 

MDTC1  - (Xcia  x M0Tcla)  + (Aclb  x MDTclb)  + (Apic  x MDTC1C 

X Cl 

= 1.0  hour  (rounded  to  nearest  tenth) 

Communications  Interface  Console.  With  regard  to  reliability,  the 
communications  interface  console  contains  the  communications  interface  Tiline, 
including  its  power  supplies  and  all  communications  elements  between  this 


Tiline  and  the  external  equipments  with  which  the  DABS  communicates.  This 
consists  of  the  following  elements  or  subgroups: 


(a)  Communications  Interface  Tiline 

(b)  +5-Volt  Triplex  Power  Supply 

(c)  +12-Volt  Duplex  Power  Supplies 

(d)  (^)  Surveillance  Transmit  Plus  Modems 

(e)  Link  Switch  (Surveillance) 

(f)  Primary  Radar  Interface 

(g)  Surveillance  Receiver 

(h)  (£)  CIDIN  Interface  Plus  Modems 

D 

(i)  Link  Switch  (Communications) 

Communications  interface  Tiline.  The  communications  interface 
Tiline  includes  the  other  half  of  the  (|)  coupler  pair  combination.  Therefore: 

XC2a  ' aTI  + °.5  A(2) 

= 2.208  failures  per  million  hours 

MDCc2a  = (XTL  x MDTTL)  ♦ [o.5X(2)  x MDT(2) 

AC2a 

= 1.9058  hours 

+5-volt  triplex  power  supply.  As  computed  for  A Bib  on  page  36, 
xC2b  = °*93  failures  per  million  hours 
MDBC9jj  “ 1 hour 

+12-volt  duplex  power  supplies.  These  are  actually  two  duplexes  in 
series:  a (2)  plus  12-volt  combination  and  a(^)  minus  12-volt  combination.  As  these 
four  power  Supplies  are  identical,  the  following  Einhorn  equations  are  used: 

X„„  ■ 2x2  (X  )2  x DDs • where  X and  DnR 

C2c  ' ps  Ps*  ps  Ps 

are  the  failure  rate  and  MDT,  respectively,  of  each  12-volt  power  supply. 

Then: 

xC2c  = 0.59  failures  per  million  hours 
MDTc2c  = 1 hour 
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(j)  Surveillance  transmit  plus  modems.  The  operation  of  this  sub- 
group can  be  explained  with  the  aid  of  figure  10.  As  seen  in  this  diagram, 
three  communications  I / F PCB's  plug  into  the  communicat ions  interface  Tiline. 

Each  of  these  PCB's  consists  of  a serial  element  and  two  channel  elements 
(A  and  B).  The  data  to  or  from  each  channel  element  are  through  a modem  to 
the  link  switch. 

System  operation  requires  at  least  two  A and  3 channel  paths  to  be 
operational.  Failure  of  a serial  element  causes  loss  of  both  associated  A 
and  B channel  paths.  Hence,  failure  of  a serial  element  in  one  communications 
I/F  PCB  followed  by  a channel  element  or  modem  failure  in  another  communica- 
tions I/F  PCB  will  cause  loss  of  system  operation.  Failure  of  two  channel 
A o£  channel  B elements  or  modems  will  also  cause  loss  of  system  operation. 

The  effective  failure  rate  of  the  surveillance  transmit  combination 
is  determined  by  means  of  the  state  diagram  technique,  which  the  operational 
states  are  represented  by  various  combinations  of  serial  elements,  channel 
elements,  and  modems.  In  order  to  determine  the  probability  of  any  operational 
state,  the  combination  is  broken  down  into  three  parts  which  we  will  designate 
as  S,  T,  and  M. 

Parts  S and  T are  the  serial  and  channel  elements,  respectively,  of 
the  communications  I/F  PCB,  which  is  attached  to  the  communications  I/F  Tiline. 

Since  this  Tiline  is  critical  to  system  operation,  the  720-hour  scheduled 
maintenance  repair  philosophy  applies.  Part  M is  the  modem,  which  is  repaired 
or  replaced  immediately  upon  failure. 

The  probability  of  each  of  the  operational  states  is  a function  of 
the  probabilities  associated  with  the  number  of  S,  T,  and  M elements  in  the 
state.  The  state  diagram  for  the  equivalent  failure  rate  is  described  in 
detail  in  appendix  B.  The  summary,  shown  in  table  13,  shows  that  the  effec- 
tive failure  rate  of  the  surveillance  transmit  plus  modems  combination  is 
11.17  failures  per  million  hours. 

1 

For  the  effective  MDT  calculation,  the  state  diagram  technique  is 
also  used.  The  summary,  shown  in  table  14,  shows  that  the  effective  MDT  of 
the  surveillance  transmit  combination  is  1.0  hour.  The  probability  of  the 
modem  (M)  part  is  the  same  as  that  used  in  the  effective  failure  rate  calcu- 
lations. The  probabilities  of  the  S and  T parts,  however,  are  the  probabil- 
ities of  these  parts  being  operational  at  any  time,  rather  than  over  a 720-hour 
period.  The  probability  of  a single  S or  T element  being  operational  at  any 
time  is  U/ll  ♦ D,  where  U and  D are  the  MTBF  and  MDT,  respectively,  of  the 

element.  Since  U = 1 / A , P can  also  be  expressed  as:  j 

1/ ( 1+AD) . Then  Ps  = 1 = .9999777605  and 

1 +Xg  Dg 

PT  = 1 = .9999888801 

1 +■  A f Df 
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COMMUNICATIONS  INTERFACE  TILINE 


TO  SURVEILLANCE 
LINK  SWITCH 


COMM  I/F 
PCB’S 


FIGURE  10.  SURVEILLANCE  TRANSMIT  AND  MODEMS 
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TABLE  13.  EQUIVALENT  FAILURE  RATE  SUMMARY  FOR  SINGLE-CHANNEL  SURVEILLANCE  TRANSMIT  COMBINATION 


n.i7xi<r* 


ABLE  .4.  STATE  SI "MARY  FOR  DETERMINATION  OP  MDT  OF  SINGLE-CHANNEL  SURVEILLANCE  TRANSMIT  COMBINATION 


it  L b b 1 b T i 
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| j 
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•O  N « 


ti  l l l \ ^ 
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f!  ? ! ! I 
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nil  1 - 
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bit 


^ k 

-4  u ii  * 

* •«  9 £ 


a * « 


b 

R J 


j t k 

r»  «*»  h 

M 

»T  rN  r>  «p 

^ O 

fi  5 3 5 

••N  $ *H  «*> 

!•>  ^ m 


V « * £ 

r.  2 I 6 S 

b it  1 32^-s 

•m  r*a  **?  <n  «r  • *3 


« 3 


fM 

3 3 I 


* 

£ fi 


•T  C «N  (MM  (N  ^ *N  (MM  N «N  *4  N r» 

£ . Kr,  }L  Ks  pi  £~  £ £„  £ * K | * 7' 

I I?  y ti  ii  in  ii  i ii  is  i $$  i 


-Z  3tst*  Frobsblllzi** - 1. *52x10" 7 - 1 fro»*r 

z Fallsr*  «ace*>  OsTTSzT'F7 


I 


' 


The  probabilities  of  all  three  S and  T elements  being  operational 
at  any  time  are  given  by: 


P3S  - Pg3  - (.9999777605)^  - .999933283 

and  P3T  - Px3  = (.9999888801)3  - .9999666407 

The  probabilities  of  two  S or  T elements  being  operational  at  any 
time  are  given  by: 

F 2s  “ 3 Ps2  (1-PS)  - 6.67155  x 10“5 

and  P2T  - 3 Pt2  (1-PT)  - 3.33589  x 10"  5 

Link  switch  (surveillance).  As  shown  in  the  element  type  summary  of 
table  7: 

XQ2e  * 3.15  failures  per  million  hours 

MDTc2e“  2 hours 


Primary  radar  Interface.  As  shown  in  the  element  type  summary  of 

table  7: 

Ac2f  “ 3.36  failures  per  million  hours 

MDT(;2f  “ 2 hours 

Surveillance  receiver.  This  is  actually  a communications  I/F  PCB 
which  consists  of  one  serial  and  two  channel  elements.  Then,  from  the  element 
type  summary  of  table  7: 

X C2g  "X  SER  + X 2 CHAN 

» 22.24  failures  per  million  hours 

MDTc2g  - (Xsf.r  x MDTSER)  + (2  XcHAN  * ^CHAN) 

XC2g 


* 2 hours 

(^)  CIDIN  Interface  plus  modems.  The  operation  of  this  subgroup  can 
be  explained  with  the  aid  of  figure  11.  As  seen  in  this  diagram,  there  are 
seven  paths  from  the  communications  I/F  Tiline  to  the  link  switch.  Each  path 
consists  of  a communications  I/F  PCB  (containing  one  serial  and  two  channel 
elements)  and  a modem.  Six  of  these  seven  paths  are  required  for  system 
operation . 
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FIGURE  11.  (?)  CIDIN  INTERFACE  PLUS  MODEMS 
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Since  the  communications  I/F  PCB's  are  plugged  into  the  communi- 
cations I/F  Tiline,  which  is  critical  to  system  operation,  the  720-hour  repair 
philosophy  of  failed  communication  I/F  PCB's  applies.  The  modems  are  repaired 
or  replaced  immediately  upon  failure.  Therefore,  the  effective  failure  rate 
will  be  determined  by  means  of  the  state  diagram  technique  shown  in  table  15. 


The  effective  failure  rate  of  the  CIDIN  interface  subsystem  is  then: 

A c2h  = 54.175  failures  per  million  hours 

The  effective  MDT  can  be  calculated  by  use  of  Einhorn's  equation 
for  a (£)  redundant"  combination'.  The  effective  MDT  for  each  of  the  seven 
equal  branches  (Djjg)  is  equal  to: 

Dbr  * (AC  x MDTq  + (XM  x MDTm) 

Ac  + Ah* 

■ 2 hours 

The  effective  MDT  of  the  (£)  CIDtM  interface  subsystem  is  then: 
MDTC2h  “ Dgg/  (n  - r + 1)  where  n « number  of  available  units  ■ 7 & 

r »'  number  of  required  units  = 6. 

MDTc2h  “ A hour 

Link  switch  (communications).  This  is  the  same  as  C2e,  (page  50); 
hence,  f 

AC2i  “ 3.15  failures  per  million  hours  and 

MDCc2i  “ 2 hours  •*- 

Communications  interface  console  summation.  The  effective  failure 
rate  and  MDT  of  the  communications  interface  console  (Including  modems)  of 
the  Communications  Section  are  as  follows: 

i 

XC2  “ 1 XC2k  and 
k - a 

i 

MDTC2  = 2 (xc2k  x MDTC2k) 


k = a 
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TABLE  15.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF  (l) 
CIDIN  INTERFACE  COMBINATION 


State 

Configuration 

C M 

1 

tr  r i 

Formula 


Pl- 

P7cxP7M 


P6cxP7M  .10011061 


Failure  Mode  Information 


Rate 


P3- 

P7CXP6M 


P4- 

p^xPm 

7 


8.3359x 

10-4 


1.3348x 

10-5 


X6c 

+ 5.3344x  5.3403 

X6M  10"4  xl0-5 


X6c 

+ 5.3344x  4.4467 

10-4  xio-7 


X6c 

+ 5.3344x  7.1204 

X6M  10-4  xio-9 


Total 


.99408778 


Where  C stands  for  the  con nunicat ions  I/F  PCB  and  M stands  for  the  modems. 
P7C  « e_u  where  U ■ .1120896 
P7C  * .89396416, 


P6c  « Ue-u  - .10020408 

PM  - 1 - .99986668 

1 dM 

P7M  ” (Pm^7  * (.99986668)7  - .99906716 

P6M  “ (Pm)6  ( (“Pm)  ■ 9.3246  x 10"4 

' 6C  » 6 x 22.24  ( 10~6)  - 1.3344  x 10~4 

‘ 6M  - 6 x 66.67  (10“6)  - 4 x 10-4 
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Thus: 


toa 

= 2.208 

MDTC2a 

- 

1.9058 

toa 

X 

MDTC2a 

m 

4.208 

tob 

= 0.93 

MDTC2b 

s 

1.00 

tob 

X 

MDTC2b 

B 

0.93 

toe 

= 0.59 

MDTc2c 

s 

1.00 

xC2c 

X 

mdtC2c 

B 

0.59 

XC2d 

-11.17 

MDTC2d 

S 

1.00 

xC2d 

X 

^CZd 

s 

11.17 

xC2e 

= 3.15 

MDTC2e 

s 

2.00 

toe 

X 

B 

6.3 

XC2f 

= 3.36 

MDTC2f 

B 

2.00 

xC2f 

X 

MDT 

C2f 

s 

6.72 

XC2g 

=22.24 

^028 

B 

2.00 

xC2g 

X 

MDTC2g 

B 

44.48 

XC2h 

=54.175 

MDTC2b 

= 

1.00 

xC2b 

X 

MDTC2h 

S 

54.175 

XC2i 

= 3.15 

MDTc2i 

= 

2.00 

xC2i 

X 

MDTC2i 

B 

6.3 

i 

I (xC2k  x MDTC2k)  * 134.873  x 10-6 
k = a 

i XC2k  = 100.973  failures  per  million  hours  * Aq2 

I 

k = a 

MDTr9  = 134.873  = 1.3  hours  (rounded  to  tenths) 

100.973 

Communications  Section  Summary.  The  effective  failure  rate  and  MDT 
of  the  Communications  Sections  are  as  follows: 

AC  = AC1  + XC2 

= 244.283  failures  per  million  hours 

MDTC  = (AC1  x M°Tci)  + (XC2  x MDTC2) 


= 1.1  hour 

SINGLE-CHANNEL  SYSTEM  SUMMARY.  The  overall  system  failure  rate, 

XSys  “ XA  + XB  + AC 

» 1291.921  failures  per  million  hours 
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The  overall  system  MDT  Is: 


MDTSys  - (1A  x MDTa)  + (xB  x MDTr)  ± (Xc  x MDTC) 

^Sys 

■ 1.6  hours 

The  system  MTBF  is  the  reciprocal  of  the  system  failure  rate. 

MTBF  » 774  hours 

DUAL-CHANNEL  SENSOR  ANALYSIS.  The  reliability  model  for  the  theoretical 
dual-channel  sensor  is  shown  in  figure  12.  As  seen  in  this  figure,  two  strings 
of  elements  are  duplicated  in  order  to  provide  the  20,000-hour  MTBF  specified 
in  the  ER.  One  of  these,  the  redundant  I&P  computer  string,  includes  elements 
from  the  I&P  and  computer  sections  of  the  single-channel  sensor.  The  other, 
the  redundant  communications  string.  Includes  certain  elements  of  the  communi- 
cations section. 

. 

As  in  the  single-channel  sensor,  certain  redundant  elements  which  are 
connected  to  critical  Tilines  would  be  left  in  the  system  upon  failure  until 
a convenient  time  for  replacement  occurs.  The  dual-channel  sensor  is  predicated 
upon  a daily  replacement  of  such  failed  elements,  the  replacement  to  be 
accomplished  during  the  hours  of  minimum  workload. 

A b-hour  minimum  workload  period  will  be  assumed  in  this  model,  leaving  the 
maximum  time  to  replacement  as  18  hours.  As  in  the  case  of  the  single-channel 
model,  the  program  for  the  dual-channel  model  will  have  the  capability  of 
varying  this  18-hour  maximum  replacement  time  to  any  other  desired  value. 
Pertinent  portions  of  this  model  will  be  discussed. 

Redundant  l&P/computer  string.  As  seen  in  figure  12,  the  five  interface 
PCB's  are  among  the  elements  duplicated.  Four  of  the  five  PCB's  in  each 
duplicated  string  are  attached  to  one  of  the  global  Tilines  (A  and  B).  As 
the  global  Tilines  are  not  duplicated,  they  are  critical,  since  both  are 
required.  Hence,  the  18-hour  replacement  philosophy  applies  to  these  four 
interface  PCB’s.  The  remaining  interface  PCB  is  attached  to  the  ATCRBS 
Tiline  which,  as  seen  in  figure  12,  is  duplicated.  Should  this  PCB  fail,  the 
ATCRBS  Tiline  can  be  deenergized,  and  the  PCB  replaced  immediately,  since  the 
ATCRBS  Tiline  in  the  redundant  string  is  still  operational. 

Since  each  of  the  two  strings  contain  elements  which  can  be  replaced 
immediately  and  elements  for  which  the  18-hour  replacement  philosophy  applies, 
the  state  diagram  technique  must  be  used  to  determine  the  effective  failure 
rate  of  the  redundant  I&P/computer  strings.  Let  A,  therefore,  represent 
the  elements  in  each  of  the  two  I&P/computer  strings  for  which  the  immediate 
replacement  philosophy  applies.  This  includes  the  transmitter,  receiver, 
processor,  ATCRBS  Tiline  and  power  supply,  one  ATCRBS  computer,  one  ATCRBS 
interface  PCB,  and  the  WWVB  receiver.  The  total  failure  rate,  XA,  for  these 
elements  is: 
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The  probability  of  one  set  of  A elements  at  any  time  is: 

- .00326227 


PlA  " 2 

1221.4636 

1.9989  ( 

1223.4625 

1223.4625 

i • 

> 4 

Let  B represent  the  four  interface  PCB's  for  which  the  18-hour-per-day 
replacement  philosophy  applies.  The  combined  failure  rate  (Ag)  of  these 

four  PCB's  is: 


- 4 x 22.24  (10-6)  - 88.96  (10“6) 

Then  the  KTBF  of  these  four  PCB's,  Ug  m 1 

XB 


11,241  hours 


The  probability  of  two  sets  of  B elements  being  operational  at  any 
instant  throughout  a 24-hour  period  is  given  by: 


p2B  * 18e~u  + _6 

24  24 


Ufi 


j} where  U - 18  x 2 x 88.96  (10“6) 

+ Dg  - 3.2026  (10-3)  and 


Dg  is  the  MDT  of  the  four  PCB  boards  - 2 hours.  This  expression  comes 
about  because  during  18  hours  of  the  day,  the  B elements  are  governed  by  the 
18-hour  repair  philosophy,  and  the  remaining  6 hours  represent  minimum  work- 
load time  during  which  the  critical  Tiline  can  be  deenergized  and  replacements 
made  immediately. 


Element 

Failure 

Rate  per  10^  Hours 

MDT  (hours) 

Transmitter 

217.16 

2.00 

Receiver 

231.73 

2.00 

Processor 

130.33 

2.00 

ATCRBS  Interface  PCB 

22.24 

2.00 

WWVB  Receiver 

0.00 

0.00 

ATCRBS  Tiline 

2.00 

2.00 

+5-Volt  Triplex  PS 

0.93 

1.00 

ATCRBS  Computer 

214.3 

2.00 

* A 

= 

818.69  failures 

per  million  hours 

UA  = 

1/XA 

- 

1221.4636  hours 

da  - 

1.9989  hours 

The  probability  of 

two  sets 

of  A 

elements  being  operational  at  any  time 

is : 

?2A  " 

1221-4636 

2 

- .99673506 

1221.4634  + 

1.9989 

► 

, 

$ 
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Then 

P2b  - 18  e "3-2026 

UO'3)  + 6 /ll24lV 

- .997513 

24 

24 

\1124^ 

and  P^g 

* 18  Ue-U  + 6 (2) 

(11241) 

i_L_2  “ 

.0024832 

24  24 

(11243) 

(11243) 

The  state  diagram  probabilities  for  effective  failure  rates  are  as 


follows : 

P2A  - 

.99673506 

P1A  3 

.00326227 

P2B  = 

.997513 

P1B  * 

.0024832 

A(1A  + ib)  = <818*69  + 88*96>  x 10-6  “ 9.0765  x 10-4 
The  state  diagram  is  shown  in  table  16. 


TABLE  16.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF 
REDUNDANT  I&P /COMPUTER  STRING  IN  DUAL-CHANNEL  SENSOR 


State 

— 

• 

Configuration 

Prob^ 

jbilitv 

Failure  Mode  Information 

Formula 

Numerical 

Value 

\ 

Failure 

Rate 

Prob.  x Failure 
Rate 

— ^ 

1 

L A 1 C.B  _J 

CO  CO 

p2AxP2B 

.99425618 

- 

- 

- 

2 

■■  1 B 1 

p1AxP2B 

.00325416 

1A+1B 

9.0765(10-4) 

2.9536x10-6 

3 

as 

p2AxPlB 

.00247509 

1A+1B 

9.0765(10-4) 

2.2465x10-6 

4 

HS 

p1AxP1B 

2 

4. 0504 (10“°) 

1A+1B 

9.0765(10-4) 

3.6764xl0-9 

Total 

.99998948 

5.2038x10-6 
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*EFF  (I&P/Comp)  » 5.2038xl0~6  = 5.2038  failures  per  million  hours 

.99998948 

MDTjrpp  (I&P/Comp)  = 1 hour  (by  Einhorn) 

Ensemble  group.  The  effective  failure  rate  for  the  ensemble  group  is 
determined  by  the  state  diagram  technique  using  an  18-hour  maximum  replacement 
rate  and  a 6-hour  direct  replacement  rate  for  the  global  couplers  (part  G)  of 
each  ensemble  and  also  for  the  two  extra  computers  (part  C)  attached  to  the 
ATCRBS  Tiline.  This  works  out  to  an  effective  failure  rate!  ENS  of  0.57 
failures  per  million  hours.  The  effective  MDT  is  0.8  hour. 

-i 

Global  memory.  This,  likewise,  is  worked  out  in  similar  fashion  to  the 
({)  memory  string  sets  discussed  in  part  B3d  of  the  single-channel  sensor, 
substituting  the  18-hour  maximum  and  6-hour  direct  replacement  rates  for  the 
720-hour  replacement  rate  for  the  redundant  176k  memory  strings.  This  gives 

Ian  effective  failure  rate  of  1.532  failures  per  million  hours  for  each  of 

the  three  sets,  or  4.596  failures  per  million  hours  for  all  three  sets.  The 
effective  fIDT  is  the  same  as  that  for  the  single-channel  sensor  ■ 1.0519  hour. 

| 

Redundant  communications  string.  The  effective  failure  rate  for  this 
redundant  string  is  derived  in  a similar  manner  to  that  for  the  redundant 
I&P/computer  string.  Let  C represent  the  elements  in  each  of  the  two  strings 
for  which  the  immediate  replacement  philosophy  applies.  This  is  as  follows: 

Element  Failure  Rate/lO^  Hours  MDT  (hours) 


Two  Computers 

428.60 

2.0 

Communications  I/F  Tiline 

2.00 

2.0 

+5-Volt  Triplex  PS 

0.93 

1.0 

+12-Volt  Duplex  PS 

0.59 

1.0 

Eight  Communications  I/F  Serials 

88.96 

2.0 

16  Communications  I/F  Channels 

88.96 

2.0 

10  Modems 

666.70 

2.0 

Surveillance  Receiver 

22.24 

2.0 

Primary  Radar  Interface 

3.36 

2.0 

Xc  = 

1302.34  failures 

per  million  hours 

Uc=l/*c 

767.84864  hours 

DC  - 

1.9988  hours 

P2c  “ .99481402 
Plc  = .00517923 

Let  D represent  the  coupler  pair  connecting  each  string  to  the  global 
Tilines.  Since  each  member  of  the  pair  attaches  to  a critical  Tiline,  the 
18-hour  replacement  philosophy  applies.  Hence, 
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58139.533,  DD  = 2 


58139.535 

58141.535 


where  U 


58139.535 

58141.535 


58141.535 


00048131 


(1302.34  + 17.2)  x 10' 


Applying  the  rtute  diagram  technique,  shown  In  table  17 


TABLE  17 


STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF 
REDUNDANT  COMMUNICATIONS  STRING  IN  DUAL-CHANNEL  SENSOR 


Failure  Mode  Information 


Probabllit 


Prob.  x Failure 
Rate 


Numerical 

Value 


Conf igurat ion 


Formula 


99433506 


1319.54x10' 


00517674 


1C+1D 


00047881 


1319.54x10' 


1C+1D 


PlC^lD 


1. 2464x10" 6 


1319.54x10' 


1C+1D 


7.4644x10“^ 


99999186 


(Communications  Strin 


MDTeff  (Communications  String)  « 1 hour  (by  Einhorn) 
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DIAL-CHANNEL  MTBF  AND  MPT  SUMMATION.  The  overall  failure  rate,  MTBF,  and 
MDT  of  the  dual-channel  sensor  are  calculated  as  follows: 

Element  Failure  Rate/10^  Hours  MDT  (hours) 


Air -Conditioners 
Antenna  Group 

Redundant  l&P/Computer  String 

Global  Tilines 

Ensemble  Group 

Global  Memory  Sets 

Link  Switch  and  Circuit  Breakers 

Redundant  Communications  String 

2 Failure  Rates  = 

2 (Failure  Rate  x MDT)  - 

MDT  = 2(Fallure  Rate  x MDT)  - 1. 

2Failure  Rates 


0.02 

1.0 

20.6 

2.0 

5.20 

1.0 

5.86 

2.0 

0.571 

0.8 

4.596 

1.0519 

4.6 

2.0 

7.46 

1.0 

48.907  failures  per  million  hours 
80.091  x 10“6 
hours 


MTBF  = 1 

2 Failure  Rates 


20,447  hours 


MAXIMUM  CORRECTIVE  MAINTENANCE  TIMES.  These  values  can  be  computed  for  each 
of  the  20  element  types  by  using  as  inputs  the  individual  downtimes  taken  from 
the  element  status  time  summary,  part  1 (table  3).  These  will  be  applied  to 
the  calculator,  which  will  be  programed  with  the  necessary  statistical  algo- 
rithms to  produce  the  90th  percentile  of  the  maximum  corrective  maintenance 
time  for  each  element  type.  These,  in  turn,  can  be  used  as  inputs  to  obtain 
the  90th  percentile  of  the  maximum  corrective  maintenance  time  for  the  single 
and  dual-channel  sensors,  using  the  mathematical  models  previously  discussed. 
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SUMMARY 


The  main  objective  of  the  reliability  and  maintainability  evaluation  is  the 
identification  of  weak  points  and  problem  areas  in  the  system  design.  The 
three  program  outputs  of  the  ARAP  should  provide  significant  aids  toward 
meeting  this  objective.  The  status  summaries  provide  a continuous  running 
history  of  each  of  the  200+  DABS  elements  in  each  sensor,  including  periods  of 
downtime  caused  by  corrective  maintenance.  A comprehensive  failure  history  is 
also  provided  for  each  element  by  the  hardware  failure  summary,  while  the  part 
failure  summary  provides  information  concerning  analysis  and  disposition  of 
the  parts  concerned  for  each  failure. 

The  calculator  printout  provides  further  information  on  element  type  failure 
rates  and  MDT's.  The  effective  failure  rates  and  MDT's  of  the  various  sections 
and  subsections  are  also  provided.  Finally,  the  overall  system  failure  rate, 
MTBF,  and  MDT  are  provided  for  both  single-  and  dual-channel  sensors. 

The  calculator  program  has  the  capability  of  varying  the  maximum  time  to 
replacement  of  redundant  PCB's  plugged  into  critical  Tilines.  The  effect  of 
this  variation  upon  subsection,  section,  and  system  failure  rates  can  be  very 
quickly  observed,  since  all  that  is  required  is  to  key  in  the  new  MAXIMUM 
TIME  TO  REPLACEMENT  OF  FAILED  PCB's.  Element  type  data  need  not  be  reentered, 
since  this  is  retained  in  the  calculator  memory.  Hence,  the  effect  upon  the 
overall  system  MTBF  of  changing  the  maximum  time  to  replacement  from  1 month 
1720  hours)  for  the  single-channel  or  18  hours  for  the  dual-channel  sensors 
can  be  quickly  and  easily  ascertained. 
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APPENDIX  A 


STATE  DIAGRAM  TECHNIQUE  FOR  DETERMINING  EQUIVALENT  FAILURE  RATE  AND  MDT  OF  THE 
DABS  ENSEMBLE  GROUP  AND  THE  (^)  COMMUNICATIONS  COMPUTERS  COMPOSITE 


Since  the  (3)  communications  computers  and  the  (^®)  ensemble  group  are  not 
Independent^  the  effective  failure  rate  of  the  two  redundant  combinations 
considered  as  one  composite  entity  must  be  determined  using  the  state  diagram 
technique.  This  composite  failure  rate  is  then  apportioned  between  the  two 
combinations  in  accordance  with  the  appropriate  states  of  the  state  diagrams. 

The  ensemble  group  consists  of  seven  ensembles,  each  of  which  contains 

four  computers.  Two  additional  computers  used  with  the  ensemble  group  are 
physically  attached  to  the  ATCRBS  Tlline.  Each  of  the  seven  ensemble  Tilines 
communicates  with  each  global  memory  through  a coupler  pair.  Thus,  four  coup- 
lers are  associated  with  each  of  the  seven  ensembles.  Failure  of  any  one  of 
these  four  couplers  will  cause  loss  of  that  ensemble. 

For  purposes  of  determining  the  probabilities  of  the  various  operational 
states  of  the  composite,  each  of  the  seven  ensembles  is  divided  into  three 
parts:  G,  E,  and  C.  Part  G consists  of  the  two  couplers  located  in  the  global 
Tilines.  Part  E consists  of  the  ensemble  Tiline  together  with  its  two  couplers 
and  the  +5-volt  triplex  power  supply.  Part  C consists  of  the  four  computers. 

The  two  computers  attached  to  the  ATCRBS  Tiline  will  be  considered  the  fourth 
part  of  the  composite  (part  c),  while  the  three  communications  computers  will 
he  considered  the  fifth  part  (part  c). 

The  composite  has  many  operational  states  consisting  of  6 or  7 part  G's,  6 or 
7 part  E's,  23  to  28  part  C's,  0 to  2 part  c's,  and  2 or  3 part  c‘'s.  Table  A-l 
shows  the  30  most  significant  states,  each  of  which  has  a state  probability  of 
at  least  lxlO-6.  Each  of  the  five  parts  which  comprise  the  probabilities  of 
each  of  these  30  states  is  described  below: 

1.  Part  G has  a 720-hour  maintenance  philosophy;  therefore,  the  probability 

of  seven  part  G’s  being  available  for  720  hours  is  P7G  “ e”^,  where  U * 7x720x  G, 
where  AG  is  the  failure  rate  of  the  two  couplers  comprising  part  G. 

A G * 2x8.b(10-h)  - 1.72(10-5);  therefore  U ■ .086688  and  P7G  " .91696314. 

The  failure  of  one  of  these  global  couplers  would  leave  six  remaining  part  G’s, 
the  probability,  P(,g»  of  which  is  Ue-^  or  .0794897. 

2.  Since  part  E is  corrected  immediately  upon  failure,  the  probability  of 

one  of  these  parts  being  available  at  any  given  time  is  Pg  “ Uf.  where 

Ue  + De 

Ur  «nd  Dg  are  the  MTBF  and  MDT,  respectively,  of  the  part. 

Since  Ug  " 1/  A g,  Pg  can  also  be  expressed  as  1 , 

1 + x EUE 

where  g ■ 'Tiline  * ^couplers  x X^riplex  PS 
'triplex  PS  * °*93  x 10~6,  as  per  Bib  of  the  text. 
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IABLE  A-l.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF 


Failure  Modes 


tatej  Configuration  Probability 


□ aHDa5S 


p31c  - P7G  x P7E 
* p27c  x Pi" 


x Ptf 

- .00: 


155083 


□ AgglDAgg 
— 1 A QO  Ha  qO  p31D  " P7G  x 

£5  oo| LJLA  00  p7e  x p27c 


p2c  x p2c 
- . 00232624 


DaSS 

n.3a  P31E  x p7G  X 
1—1 A JQ  P7E  x p28G 

r— | A DO  x plc  x p2c 
LJ Aon  . .0598177 

□ aSSIOO  5 


•00 


□ AgglJAgg 

n . QQ  P31F  - p7G  x 
uAjp  P7E  x p28c 

□AasiGAig]:  !§y5& 


Rill 
(■KMHI 


□ a 


□ a 


8/9  X P7G  7G 
x p26c  + 
p3?  7E 
62  x 10-6 


□ AggoA 


□ a 


__  P30B  “ 1 x P7G 

□ AggJ  9 

x P7E  x p26c 
x p2c  x p2c  , 
- 1.4955  x IQ"6 


SUBTOTAL 


CUMULATIVE 

TOTAL 


.08586303 


.83274947 


TABLE  A-l.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF 
ENSEMBLE /COMMUNICATIONS  COMPUTER  COMI’OSITE  (Continued) 


T Failure  Modes 

ate  Configuration  Probability 


□ AggldAgg 


PiOc  - 8/9  x P7G 
x P7E  x P26c 


n A DC  * p2c  * p2c  c 
LJ^nn  ■ 1.1964  x 10”^  i 2 


*00  g 


dAgg 


□ Agg 


BWiEHilffigll 

KM 


dA"|dA 


PjOD  “ P7G  x 
p7E  * p27c 
x P0c  x P;£ 

- 2.6592  x 10"4 


_ -,nip30E  “ P7G  * 

□ A 3n  p7‘  x p27c 
x Pic  x ?2c 
- 7.1786  x 10-4 


□ A 


□ A 


r— 1 A P,0P  - P7C  * 

i_)A  P7E  x l’28c 

x Poc  x P2c 
-.01025704 


p29A  - 8 x P7G 
9 

x p7E  x P26C 
x POc  x Pj(> 

- 1.3677  x 10-8 


[— I a QDl  p29B  * 8/9  x P7G 
LJAAnnlx  P7k  x P:’h,- 


OOlx  P7E  x P2bc 
x Pic  x P2c 
- J . 6921  x 10-8 


SUBTOTAL 


CUMULATIVE 
TOTA' 


1.1258  x 10” ‘ 


.84400732 
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I ABLE  A-l.  STATE  DIAGRAM  FOR  EQUIVALENT  FAILURE  RATE  DETERMINATION  OF 

_ ENSEMBLE /COMMUNICATIONS  COMPUTER  COMPOSITE  (Continued) 

! i Failure  Modes 


>tate|  Conf igura t ion  Probability 


Failure  RatelProb.  x*ai‘ 


□aHDAgg 


P29c  “ P70  * 

P7E  x p27c 
x POc  x ?2c  , 

- 1.2309  x 10-4 


P29D  “ P7G  x 
p6E  x ?28c 
x p2c  x P3? 

- 1.1802  x 10-4 


no  n a °° 
cq|U  Ann 

n . ja  P29E  “ p6C  x 

LI AJa  P7E  x P28c 

I — | a □□  * p2c  x p3'c 
1—1 A Qn  - 3.6302  X 10-2 


P29F  - 3 x P6G 
a a°|  7 

J=J|  x P7E  x P27c 
X P2r  X P3c 
- 6.2236  x 10-5 


P29G  “ i x PbG 
7 

x P 6E  x P28o 
x P2c  x Pj^ 

- 1.9615  x 10-6 


n a oa| P28A  “ P/G  x 

l—l  x-A  ool  P6E  X P28c 


x Pic  x P3£* 

- 3.6919  x 10-5 


3.6693  x 10"2 


.88065039 


XE  - 2.013  (10“5) 

D£  = (MDTTillne  xxTiiine)  + (MPT  couplers  *Acouplers)  + (MDTps  x APS) 
= 1.9538  hours 


1 + dE 
= .99996067 

The  probability  of  seven  part  E's  being  available  at  any  time  ia  P7E  - (PE)7  “ 
.99972473.  The  probability  of  6 part  E'a  being  available  at  anytime  is 
P6E  * 7(Pe)6  qE  where  qE  - 1 - PR.  Thus,  P6e  - 2.7523  (10^). 

3.  Part  C consists  of  the  28  computers  contained  within  the  seven  ensembles; 
hence,  like  part  E,  the  direct  repair  philosophy  applies.  For  a single  part  C, 
Ac  = 2.143x10“^  and  Dc  - 2.  Then,  using  the  same  approach  as  for  part  E, 

Pc  = .99957158,  and  qc  **  4.2842x10”^.  Although  as  few  as  23  part  C's  need  be 
available  to  maintain  system  operation,  states  containing  less  than  26 
part  C's  will  have  insignificant  state  probabilities,  hence  will  not  be  con- 
sidered in  this  analysis.  Then, 

P28C  * Pc28  “ .98807336 

P27C  = (2f)  Pc279c  “•01185777 

p 26C  “ <28)  Pc269c2  " 6.8611x10-5 

4.  Since  part  "c"  is  attached  to  the  ATCRBS  Tiline,  which  is  critical  to 
system  operation,  the  720-hour  maintenance  philosophy  applies;  therefore: 

P2c  = e-U  where  U - 2 x 2.143  (10**)  x 720  - .308592, 

P2c  * .73448038, 

Pj^"  “ Ue“0  = .22665477,  and 

P0c” “ 1 - P2c  - Pic  “ .03886485. 

5.  As  part  /c‘  is  attached  to  the  communications  Tiline,  which  is  critical  to 
system  operation,  the  720-hour  maintenance  philosophy  likewise  applies;  there- 
fore: 

P3^=  e-U  where  U = 3 x 2.143  (10~4)  x 720  - .462888, 

P3^>-  .62946313,  and 
p2cm  Ue-U  - .29137093. 
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Depending  upon  the  particular  operational  state,  system  outage  can  occur 
upon  failure  of  any  5,  6,  or  7 part  G'a  or  E's;  23  or  24  part  C's;  1 or  2 
part  c's;  or  2 or  3 part  c's.  These  failure  rates  are: 

*5G  “ 5 x \q  = 5 x 1.72  (10-5)  - 8.6  (10-5) 

A6G  = 6 * *G  * 6 x 1.72  (10-5)  - 1.034  (10"*) 

*7G  “ 7 x Ac  - 7 x 1.72  (10~5)  - 1.204  (10-4) 

*5E  = 5 x AE  * 5 » 2.013  (10-5)  - 1.0065  (10-4) 

A6E  = 6 x Ae  = 6 x 2.013  (10-5)  - 1.2078  (10-4) 

A7E  - 7 x AE  = 7 x 2.013  (10-5)  - 1.4091  (10-4) 

\2_ic  * 23  x 2.143  (10-4)  =.  4.9289  (10-3) 

A 24c  = 24  x 2.143  (10~4)  - 5.1432  (10~3) 

Aic-  = 2.143  (10-4) 

*2c  “ A2c  = 4.286  (10-4) 

A3£  = 6.429  (10-4) 

Table  A-l  shows  the  states  and  failure  modes  for  all  the  significant  states. 
Note  that  the  configuration  diagrams  show  the  five  parts  of  the  composite  by 
means  of  different  symbols.  A failure  in  any  part  is  indicated  by  a solid 
symbol. 

In  state  33,  all  30  ensemble  computers  (28C  and  2c")  and  all  three  communica- 
tions computers  (3cJ  are  operational,  therefore  the  probability  of  the 
composite  being  in  state  33  is  P7g  x Pyg  x P28C  x P2c  x p3c»  Should  a 
part  C or  c fail,  29  computers  will  still  remain  in  the  ensemble  group; 
which  is  3 more  than  the  required  26.  Should  a communications  computer  (c) 
fail,  there  will  still  be  the  required  2c,  and  the  system  will  remain  opera- 
tional. Should  either  a G or  an  E part  fail,  the  ensemble  concerned,  with 
its  four  computers,  will  be  unavailable  to  the  system,  but  there  will  still 
be  26  ensemble  computers  available.  There  are  therefore  no  failure  modes  in 
state  33. 

In  state  32A,  one  of  the  computers  in  one  of  the  seven  ensembles  (part  C) 
has  failed.  In  case  of  failure  of  a G or  E part  in  any  of  the  remaining  6 
ensembles,  there  would  now  be  only  25  computers  left  in  the  ensemble  group. 

The  ensemble  group  will  then  preempt  the  spare  communications  computer  (£) 
to  provide  the  26th  computer.  As  there  are  now  the  required  26  computers  in 
the  ensemble  group  as  well  as  the  required  two  communications  computers,  there 
are  therefore  no  failure  modes  in  state  32A. 
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State  32B  is  similar  to  32A  with  the  exception  that  one  of  the  two  ensemble 
computers  attached  to  the  ATCRBS  Tiline  (c)  has  failed.  By  similar  reasoning, 
there  are  no  failure  modes  in  state  32B. 

In  state  32C,  one  of  the  three  communications  computers  (c;  has  failed.  As 
there  are  now  only  two  communications  computers  (surveillance  and  CIDIN)  left, 
failure  of  either  of  these  ( A2c ')  will  cause  system  outage. 


In  state  31A,  two  computers  in  the  same  ensemble  have  failed.  The  expression 
for  the  state  probability  is  obtained  as  follows.  There  are  (A)  m 6 combina- 
tions of  the  failed  computers  within  the  ensemble  containing  them.  There  are 
(|)  » seven  ways  in  which  the  ensemble  containing  the  failed  computers  can  be 
contained  within  the  seven  ensembles  of  the  group.  Hence,  there  are  7x6  * 42 
combinations  of  state  31A.  But  there  are  a total  of  (28)  ■ 378  ways  in  which 
two  failed  C parts  can  occur  among  the  28  part  C's  in  the  ensemble  group. 

This  is  equal  to  1/9  P26C*  Failure  of  a G or  E part  in  any  of  the  other 
six  ensembles  would  leave  only  22  part  C’s  left.  Even  with  the  two  part  c's 
and  the  redundant  c,  there  would  still  be  only  25  computers  available  to  the 
ensemble  group,  hence  a system  outage  would  occur. 

In  state  31B,  the  two  failed  computers  occur  in  different  ensembles.  There 
are  (?)  - 4 combinations  of  failed  computers  in  each  of  the  two  ensembles, 
and  there  are  (2)  - 21  combinations  of  these  two  ensembles  among  the  seven 
ensembles  of  the  group.  Thus,  there  are  21  x 4 x 4 - 336  combinations  of 
state  31B,  which  is  equal  to  8/9  P26C*  Should  a G or  E part  in  either  of  the 
two  ensembles  containing  a failed  computer ^f ail,  there  would  still  be 
23  part  C's,  2 part  c's,  and  the  redundant  c which  would  be  preempted  by  the 
ensemble  group  to  provide  its  required  26  computers.  However,  a failure  in 
a G or  E part  of  any  of  the  other  five  ensembles  would  result  in  a total  of 
only  25  computers  in  the  ensemble  group,  thereby  causing  system  outage. 

The  coefficients  and  failure  modes  for  the  remaining  states  are  derived  in 
a similar  manner.  In  states  28A  through  28G,  one  ensemble  plus  an  additional 
c,  c,  or  C part  from  another  ensemble  have  failed.  The  redundant  communica- 
tions computer  has  been  preempted  by  the  ensemble  group  to  provide  the 
necessary  26  computers;  hence,  failure  of  any  computer  (C,  c,  or  c),  or  fail- 
ure of  any  of  the  remaining  six  ensembles  will  cause  system  outage. 

The  effective  failure  rate  of  the  two-subsystem  composite  is: 

Xgpp  « E(State  Probabilities  x Failure  Rates) 

Estate  Probabilities 

= 3.2543x10"^  = 357.96  failures  per  million  hours 
.90913252 

The  portion  of  this  failure  rate  attributable  to  the  (2)  communications  compu- 
ters Oclc)  is  determined  by  those  states  where  the  redundant  communications 
computer  is  in  use  by  either  of  the  two  subsystems.  These  states  are:  32C, 
31D,  31E,  30B,  30C,  30E,  30F,  29B,  29C,  and  all  seven  versions  of  state  28. 
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Since  the  above  states  have  no  communications  redundancy,  failure  of  either 

of  the  two  communications  computers  will  cause  system  failure.  Then, 

G 

Vic  = a2c  (P32CH>iin+P31E+P^0B+P30C+P30B+P3QF+P29B+P29C+£°A  P28l) 

.90913252 

= 139.37  failures  per  million  hours. 

The  remainder  of  the  effective  failure  rate  is  that  of  the  ensemble 

computer  group.  This  failure  rate,  Xg2  ■ 357.96  - 139.37  = 218.59  failures 
per  million  hours. 

For  the  effective  MDT  calculations,  the  actual  repair  time  (2-hour)  philosophy 
will  apply  for  all  five  parts.  This  will  not  change  the  part  probabilities  of 
the  E and  C ensemble  parts,  but  for  the  G,  c,  and  c parts,  the  part  proba- 
bilities are  as  follows: 

PjG  = .9997592331 

P6G  **  2.407420233x10“^ 

P2J  - .9991433508 

Pic  = 8.56465608x10“^ 

P0£  = 1.8354205955x10-7 

P3^  = .9987153014 

P2c  = 1.284148135x10-3 

The  30  states  of  table  A-l  are  summarized  in  table  A-2  using  the  above  part 
probabilities  for  MDT  determination.  Since  the  numerator  of  the  MDT  expression 
is  equal  to  the  difference  of  two  nearly  equal  quantities  (i  - E State  Proba- 
bilities), some  additional  states  must  be  considered  in  order  to  avoid  large 
errors.  These  states  are:  29F'  and  28C',  which  are  states  29F  and  28C,  with 
PbG  and  P7E  interchanged  with  P7G  and  in  each.  State  30G,  representing 
all  combinations  of  states  where  three  part  C's  have  failed,  is  also  added. 

The  MDT  for  the  composite  turned  out  to  be  1 hour,  and  will  be  used  for  both 
the  ensemble  group  and  the  (|)  communications  computers. 
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TABLE  A-2.  STATE  SUMMARY  FOR  DETERMINATION  OF  MDT  OF  ENSEMBLE/COMMUNICATIONS  COMPUTER  COMPOSITE 


TABLE  A-2.  STATE  SUMMARY  FOR  DETERMINATION  OF  MOT  OF  ENSEMBLE/COMMUNICATIONS  COMPUTER  COMPOSITE  (Continued) 


TABLE  A-2.  STATE  SUMMARY  FOR  DETERMINATION  OF  MDT  OF  ENSEMBLE/ COMMUNICATIONS  COMPUTER  COMPOSITE  (Continued) 
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STATE  DIAGRAM  TECHNIQUE  FOR  DETERMINING  THE  EQUIVALENT  FAILURE  RATE  OF 
THE  (})  SURVEILLANCE  TRANSMIT  COMBINATION 

The  probabilities  of  the  various  operational  states  of  the  surveillance  transmit 
combination  are  functions  of  the  probabilities  of  three  element  types.  These 
are  the  serial  elements  of  the  communications  I/F  PCB's  (S),  the  A and  B 
channel  elements  of  the  communications  I/F  PCB’s  (A  and  B) , and  the  modems 
associated  with  each  channel  element  (MA  and  MB).  Since  a minimum  of  two  of 
each  element  type  is  required  to  maintain  the  system  operational,  the  proba- 
bilities involved  are  P3S,  P2s»  P3A,  P2A,  P3B»  P2B»  P3MA,  P2MA.  P3MB>  and  P2MB- 
Since  the  corresponding  elements  for  channel  A and  B are  identical,  then  P^A  " 
P3B  = P3T;  P2MA  = P2MB  = P2M>  etc. 

Depending  upon  the  particular  operational  state,  system  outage  can  occur  upon 
failure  of  any  of  two  or  three  part  S’s;  or  two  part  A’s,  B's,  MA's,  or  MB's. 
Table  B-l  shows  the  states  and  failure  modes  for  all  the  significant  operational 
states.  S and  T represent  the  serial  and  channel  elements,  respectively,  of 
the  communications  I/F  PCB’s  while  M represents  the  modems. 

In  state  1,  all  elements  are  operational.  Should  one  serial  element  fail, 
there  will  still  be  two  channel  A's  and  B's,  and  the  system  will  remain  opera- 
tional. If  an  A or  MA  element  fails,  there  will  still  be  two  A channels  and 
three  B channels,  and  the  system  will  remain  operational.  There  are,  therefore, 
no  failure  modes  in  state  1. 

In  state  2,  a PCB  channel  element  for  channel  A has  failed.  Failure  of  either 
of  the  other  two  serial  elements  will  leave  only  one  A channel  operational; 
hence,  this  causes  a system  outage.  Likewise,  failure  of  either  of  the 
remaining  two  A channel  elements  or  their  respective  monems  will  leave  only 
one  remaining  A channel  with  subsequent  loss  of  system  operation.  Since  there 
■ire  three  B channels  available  failure  of  a B channel  element  or  modem  will 
not  cause  system  loss.  States  3,  4,  and  5 are  similar. 

In  state  6,  both  channel  elements  of  a single  communications  I/F  PCB  have 
failed.  Therefore,  only  two  A and  B channels  are  now  available.  Failure  of 
a channel  element  or  its  associated  modem  in  any  of  these  remaining  four 
channels  will  cause  system  outage. 

In  state  7,  a channel  A element  in  one  PCB  and  a channel  B element  on  a 
second  PCB  have  failed.  This  leaves  two  A and  two  B channels.  In  addition 
to  failure  of  any  channel  element  or  modem  in  these  four  channels,  failure 
of  any  of  the  three  serial  elements  will  leave  less  than  the  required  two 
A and  B channels;  hence,  system  loss  will  result. 

The  remaining  failure  modes  are  derived  in  a similar  manner.  The  various 
configurations  of  each  state  are  summarized  in  table  13  of  the  text. 
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State  1 of  the  suo^fy  corresponds  to  state  1 of  table  B-l. 

State  2 of  the  suq^jy  Corresponds  to  the  sum  of  states  2 and  3 of  table  B-l. 

State  3 of  the  sufl^jy  corresponds  to  the  sum  of  states  4 and  5 of  table  B-l. 

State  4 of  the  sunpary  corresponds  to  the  sum  of  state  6 (with  2S  + 4T  + 4M 

failure  rate)  and  state  7 (with  3S  + 4T  + 4M  failure  rate)  of  table  B-l. 

State  5 of  the  sum^ry  corresponds  to  the  sum  of  states  8 and  13  (with  2S  + 2T 

+ 2M  failure  ratesT,  states  10  and  12  (with  2S  + 4T  + 4M  failure  rates),  and 

states  11  and  14  (w^th  3S  + 4T  + 4M  failure  rates)  of  table  B-l. 

State  6 of  the  summary  corresponds  to  the  sum  of  state  18  (with  2S  + 4T  + 4M 
failure  rate)  and  state  19  (with  3S  + 4T  + 4M  failure  rates)  of  table  B-l. 

State  7 of  the  summary  corresponds  to  state  9 of  table  B-l. 

State  8 of  the  summary  corresponds  to  the  sum  of  states  15  and  16  of  table  B-l. 

State  9 of  the  summary  corresponds  to  the  sum  of  states  17  and  20  of  table  B-l. 

State  10  of  the  summary  corresponds  to  state  21  of  table  B-l. 

State  11  of  the  summary  corresponds  to  the  sum  of  states  22,  23,  24,  and  25 
of  table  B-l. 

EQUIVALENT  FAILURE  RATE  DETERMINATION 

Ag  = Serial  Element  Failure  Rate  = 11.12  x 10~& 

P 3 S = e_u  where  u = 3 x 11.12  x 10“6  x 720  * .0240192 
P3S  = .97626697  P2S  = ue~u 

P2S  = .02344915 

AA  = Ag  = Channel  A or  B Transmit  Element  Failure  Rate  » 5.56  x 10"6 

P3A  = P3B  = e_u  where  u = 3.5.56  x 10”6  x 720  = .0120096 

p3A  = P3B  “ e-*0i20096;  p2A  = P2B  = Ue“U 

P3A  = P3B  = .98806223  = P3T 

P2A  = P2B  = .01186623  = P2T 

Am  = Failure  Rate  of  Modem  = 66.67  x 10“6 
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